Overview

File 68c0195d-x86-Viridian-NULL-deref-in-update_reference_tsc.patch of Package xen.41885

# Commit 5776a2e9db0155cfd76388c8197ca7788bb4b361
# Date 2025-09-09 14:11:09 +0200
# Author Roger Pau Monne <roger.pau@citrix.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/viridian: avoid NULL pointer dereference in update_reference_tsc()

The function is only called when the MSR has the enabled bit set, but even
then the page might not be mapped because the guest provided gfn is not
suitable.

Prevent a NULL pointer dereference in update_reference_tsc() by checking
whether the page is mapped.

This is CVE-2025-27466 / part of XSA-472.

Fixes: 386b3365221d ('viridian: use viridian_map/unmap_guest_page() for reference tsc page')
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/arch/x86/hvm/viridian/time.c
+++ b/xen/arch/x86/hvm/viridian/time.c
@@ -26,6 +26,10 @@ static void update_reference_tsc(const s
     HV_REFERENCE_TSC_PAGE *p = rt->ptr;
     uint32_t seq;
 
+    /* Reference TSC page might not be mapped even if the MSR is enabled. */
+    if ( !p )
+        return;
+
     if ( initialize )
         clear_page(p);
openSUSE Build Service is sponsored by
Places