File xsa428-1.patch of Package xen.28173

x86/HVM: bound number of pinned cache attribute regions

This is exposed via DMOP, i.e. to potentially not fully privileged
device models. With that we may not permit registration of an (almost)
unbounded amount of such regions.

This is CVE-2022-42333 / part of XSA-428.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

--- a/xen/arch/x86/hvm/mtrr.c
+++ b/xen/arch/x86/hvm/mtrr.c
@@ -598,6 +598,7 @@ int hvm_set_mem_pinned_cacheattr(struct
                                  uint64_t gfn_end, uint32_t type)
 {
     struct hvm_mem_pinned_cacheattr_range *range;
+    unsigned int nr = 0;
     int rc = 1;
 
     if ( !is_hvm_domain(d) )
@@ -669,11 +670,15 @@ int hvm_set_mem_pinned_cacheattr(struct
             rc = -EBUSY;
             break;
         }
+        ++nr;
     }
     rcu_read_unlock(&pinned_cacheattr_rcu_lock);
     if ( rc <= 0 )
         return rc;
 
+    if ( nr >= 64 /* The limit is arbitrary. */ )
+        return -ENOSPC;
+
     range = xzalloc(struct hvm_mem_pinned_cacheattr_range);
     if ( range == NULL )
         return -ENOMEM;