ia64/xen-unstable
changeset 2408:952b9b06fc86
bitkeeper revision 1.1159.53.29 (41375973qY_UE105oFj3W3t-UwIp5g)
Fix security hole in multicall hypercall. Now check whether the multicall
list overlaps Xen's private address space.
Fix security hole in multicall hypercall. Now check whether the multicall
list overlaps Xen's private address space.
author | kaf24@scramble.cl.cam.ac.uk |
---|---|
date | Thu Sep 02 17:33:39 2004 +0000 (2004-09-02) |
parents | 8771bd7cd7bb |
children | 7ed44d755dda |
files | xen/arch/x86/x86_32/entry.S |
line diff
1.1 --- a/xen/arch/x86/x86_32/entry.S Wed Sep 01 19:17:37 2004 +0000 1.2 +++ b/xen/arch/x86/x86_32/entry.S Thu Sep 02 17:33:39 2004 +0000 1.3 @@ -148,6 +148,7 @@ ENTRY(continue_nonidle_task) 1.4 * 2. We cannot recursively call HYPERVISOR_multicall, or a malicious 1.5 * caller could cause our stack to blow up. 1.6 */ 1.7 +#define MULTICALL_ENTRY_ORDER 5 1.8 do_multicall: 1.9 popl %eax 1.10 cmpl $SYMBOL_NAME(multicall_return_from_call),%eax 1.11 @@ -155,6 +156,13 @@ do_multicall: 1.12 pushl %ebx 1.13 movl 4(%esp),%ebx /* EBX == call_list */ 1.14 movl 8(%esp),%ecx /* ECX == nr_calls */ 1.15 + /* Ensure the entire multicall list is below HYPERVISOR_VIRT_START. */ 1.16 + movl %ecx,%eax 1.17 + shll $MULTICALL_ENTRY_ORDER,%eax 1.18 + addl %ebx,%eax /* EAX == end of multicall list */ 1.19 + jc bad_multicall_address 1.20 + cmpl $__HYPERVISOR_VIRT_START,%eax 1.21 + jnc bad_multicall_address 1.22 multicall_loop: 1.23 pushl %ecx 1.24 multicall_fault1: 1.25 @@ -176,12 +184,17 @@ multicall_fault7: 1.26 movl %eax,24(%ebx) # args[5] == result 1.27 addl $20,%esp 1.28 popl %ecx 1.29 - addl $(ARGS_PER_MULTICALL_ENTRY*4),%ebx 1.30 + addl $(1<<MULTICALL_ENTRY_ORDER),%ebx 1.31 loop multicall_loop 1.32 popl %ebx 1.33 xorl %eax,%eax 1.34 jmp ret_from_hypercall 1.35 1.36 +bad_multicall_address: 1.37 + popl %ebx 1.38 + movl $-EFAULT,%eax 1.39 + jmp ret_from_hypercall 1.40 + 1.41 .section __ex_table,"a" 1.42 .align 4 1.43 .long multicall_fault1, multicall_fixup1