xenbits.xensource.com Git - qemu-xen-unstable.git/commit

author	Ian Jackson <ian.jackson@eu.citrix.com>
	Mon, 14 Nov 2016 17:19:46 +0000 (17:19 +0000)
committer	Ian Jackson <Ian.Jackson@eu.citrix.com>
	Wed, 7 Dec 2016 16:51:36 +0000 (16:51 +0000)
commit	b669e922b37b8957248798a5eb7aa96a666cd3fe
tree	996bcd583f774079e75f558436b455e2cf83157b	tree
parent	89c4cbe8d234049b0145e4dc5e5d19d626250b57	commit \| diff

qemu: ioport_read, ioport_write: be defensive about 32-bit addresses

On x86, ioport addresses are 16-bit.  That these functions take 32-bit
arguments is a mistake.  Changing the argument type to 16-bit will
discard the top bits of any erroneous values from elsewhere in qemu.

Also, check just before use that the value is in range.  (This turns
an ill-advised change to MAX_IOPORTS into a possible guest crash
rather than a privilege escalation vulnerability.)

And, in the Xen ioreq processor, clamp incoming ioport addresses to
16-bit values.  Xen will never write >16-bit values but the guest may
have access to the ioreq ring.  We want to defend the rest of the qemu
code from wrong values.

This is XSA-199.

Reported-by: yanghongke <yanghongke@huawei.com>
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

i386-dm/helper2.c		diff \| blob \| blame \| history
vl.c		diff \| blob \| blame \| history