Overview

File CVE-2012-4536-xsa21.patch of Package xen.openSUSE_12.1_Update

References: CVE-2012-4536 XSA-21 bnc#786518

x86/physdev: Range check pirq parameter from guests

Otherwise Xen will read beyond either end of the struct
domain.arch.pirq_emuirq array, usually resulting in a fatal page fault.

This vulnerability was introduced by c/s 23241:d21100f1d00e, which adds
a call to domain_pirq_to_emuirq() which uses the guest provided pirq
value before range checking it, and was fixed by c/s 23573:584c2e5e03d9
which changed the behaviour of the domain_pirq_to_emuirq() macro to use
radix trees instead of a flat array.

This is XSA-21 / CVE-2012-4536.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

--- a/xen/arch/x86/physdev.c
+++ b/xen/arch/x86/physdev.c
@@ -238,6 +238,10 @@ static int physdev_unmap_pirq(struct phy
     if ( ret )
         return ret;
 
+    ret = -EINVAL;
+    if ( unmap->pirq < 0 || unmap->pirq >= d->nr_pirqs )
+        goto free_domain;
+
     if ( is_hvm_domain(d) )
     {
         spin_lock(&d->event_lock);
openSUSE Build Service is sponsored by
Places