xenbits.xensource.com Git - xen.git/commit

author	Ian Jackson <ian.jackson@eu.citrix.com>
	Fri, 14 Jun 2013 15:45:36 +0000 (16:45 +0100)
committer	Ian Jackson <Ian.Jackson@eu.citrix.com>
	Fri, 14 Jun 2013 15:45:36 +0000 (16:45 +0100)
commit	f7fb94409c562beec06094141ef262dc85f28dac
tree	baf294b3b7ba4e8cc52f90deb1a0bc781336ce74	tree
parent	bbf40e6b6d47809f4289a866d7d167c25104ecc0	commit \| diff

libxc: Fix range checking in xc_dom_pfn_to_ptr etc.

* Ensure that xc_dom_pfn_to_ptr (when called with count==0) does not
  return a previously-allocated block which is entirely before the
  requested pfn (!)

* Provide a version of xc_dom_pfn_to_ptr, xc_dom_pfn_to_ptr_retcount,
  which provides the length of the mapped region via an out parameter.

* Change xc_dom_vaddr_to_ptr to always provide the length of the
  mapped region and change the call site in xc_dom_binloader.c to
  check it.  The call site in xc_dom_load_elf_symtab will be corrected
  in a forthcoming patch, and for now ignores the returned length.

This is part of the fix to a security issue, XSA-55.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
v5: This patch is new in v5 of the series.

tools/libxc/xc_dom.h		diff \| blob \| blame \| history
tools/libxc/xc_dom_binloader.c		diff \| blob \| blame \| history
tools/libxc/xc_dom_core.c		diff \| blob \| blame \| history
tools/libxc/xc_dom_elfloader.c		diff \| blob \| blame \| history