ia64/xen-unstable

changeset 2408:952b9b06fc86

bitkeeper revision 1.1159.53.29 (41375973qY_UE105oFj3W3t-UwIp5g)

Fix security hole in multicall hypercall. Now check whether the multicall
list overlaps Xen's private address space.
author kaf24@scramble.cl.cam.ac.uk
date Thu Sep 02 17:33:39 2004 +0000 (2004-09-02)
parents 8771bd7cd7bb
children 7ed44d755dda
files xen/arch/x86/x86_32/entry.S
line diff
     1.1 --- a/xen/arch/x86/x86_32/entry.S	Wed Sep 01 19:17:37 2004 +0000
     1.2 +++ b/xen/arch/x86/x86_32/entry.S	Thu Sep 02 17:33:39 2004 +0000
     1.3 @@ -148,6 +148,7 @@ ENTRY(continue_nonidle_task)
     1.4   *   2. We cannot recursively call HYPERVISOR_multicall, or a malicious
     1.5   *      caller could cause our stack to blow up.
     1.6   */
     1.7 +#define MULTICALL_ENTRY_ORDER 5
     1.8  do_multicall:
     1.9          popl  %eax
    1.10          cmpl  $SYMBOL_NAME(multicall_return_from_call),%eax
    1.11 @@ -155,6 +156,13 @@ do_multicall:
    1.12          pushl %ebx
    1.13          movl  4(%esp),%ebx   /* EBX == call_list */
    1.14          movl  8(%esp),%ecx   /* ECX == nr_calls  */
    1.15 +        /* Ensure the entire multicall list is below HYPERVISOR_VIRT_START. */
    1.16 +        movl  %ecx,%eax
    1.17 +        shll  $MULTICALL_ENTRY_ORDER,%eax
    1.18 +        addl  %ebx,%eax      /* EAX == end of multicall list */
    1.19 +        jc    bad_multicall_address
    1.20 +        cmpl  $__HYPERVISOR_VIRT_START,%eax
    1.21 +        jnc   bad_multicall_address
    1.22  multicall_loop:
    1.23          pushl %ecx
    1.24  multicall_fault1: 
    1.25 @@ -176,12 +184,17 @@ multicall_fault7:
    1.26          movl  %eax,24(%ebx) # args[5] == result
    1.27          addl  $20,%esp
    1.28          popl  %ecx
    1.29 -        addl  $(ARGS_PER_MULTICALL_ENTRY*4),%ebx
    1.30 +        addl  $(1<<MULTICALL_ENTRY_ORDER),%ebx
    1.31          loop  multicall_loop
    1.32          popl  %ebx
    1.33          xorl  %eax,%eax
    1.34          jmp   ret_from_hypercall
    1.35  
    1.36 +bad_multicall_address:
    1.37 +        popl  %ebx
    1.38 +        movl  $-EFAULT,%eax
    1.39 +        jmp   ret_from_hypercall        
    1.40 +                
    1.41  .section __ex_table,"a"
    1.42          .align 4
    1.43          .long multicall_fault1, multicall_fixup1