Overview

File xen.144aec4140515c53bb1676df71a469f3e285c557.patch of Package xen

From: Jan Beulich <jbeulich@suse.com>
Date: Wed, 26 Apr 2017 09:48:45 +0200
Subject: 144aec4140515c53bb1676df71a469f3e285c557
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

x86/32on64: properly honor add-to-physmap-batch's size

Commit 407a3c00ff ("compat/memory: fix build with old gcc") "fixed" a
build issue by switching to the use of uninitialized data. Due to
- the bounding of the uninitialized data item
- the accessed area being outside of Xen space
- arguments being properly verified by the native hypercall function
this is not a security issue.

Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Release-acked-by: Julien Grall <julien.grall@arm.com>
---
 xen/common/compat/memory.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/xen/common/compat/memory.c
+++ b/xen/common/compat/memory.c
@@ -204,30 +204,32 @@ int compat_memory_op(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) compat)
             if ( copy_from_guest(&cmp.atp, compat, 1) )
                 return -EFAULT;
 
             XLAT_add_to_physmap(nat.atp, &cmp.atp);
 
             break;
 
         case XENMEM_add_to_physmap_batch:
         {
             unsigned int limit = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.atpb))
                                  / (sizeof(nat.atpb->idxs.p) + sizeof(nat.atpb->gpfns.p));
             /* Use an intermediate variable to suppress warnings on old gcc: */
-            unsigned int size = cmp.atpb.size;
+            unsigned int size;
             xen_ulong_t *idxs = (void *)(nat.atpb + 1);
             xen_pfn_t *gpfns = (void *)(idxs + limit);
 
-            if ( copy_from_guest(&cmp.atpb, compat, 1) ||
-                 !compat_handle_okay(cmp.atpb.idxs, size) ||
+            if ( copy_from_guest(&cmp.atpb, compat, 1) )
+                return -EFAULT;
+            size = cmp.atpb.size;
+            if ( !compat_handle_okay(cmp.atpb.idxs, size) ||
                  !compat_handle_okay(cmp.atpb.gpfns, size) ||
                  !compat_handle_okay(cmp.atpb.errs, size) )
                 return -EFAULT;
 
             end_extent = start_extent + limit;
             if ( end_extent > size )
                 end_extent = size;
 
             idxs -= start_extent;
             gpfns -= start_extent;
 
             for ( i = start_extent; i < end_extent; ++i )
openSUSE Build Service is sponsored by
Places