]> xenbits.xensource.com Git - xen.git/commitdiff
projects / xen.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ca0fe6d)
x86: check segment descriptor read result in 64-bit OUTS emulation
authorMatthew Daley <mattjd@gmail.com>
Thu, 10 Oct 2013 13:25:58 +0000 (15:25 +0200)
committerJan Beulich <jbeulich@suse.com>
Thu, 10 Oct 2013 13:25:58 +0000 (15:25 +0200)
When emulating such an operation from a 64-bit context (CS has long
mode set), and the data segment is overridden to FS/GS, the result of
reading the overridden segment's descriptor (read_descriptor) is not
checked. If it fails, data_base is left uninitialized.

This can lead to 8 bytes of Xen's stack being leaked to the guest
(implicitly, i.e. via the address given in a #PF).

Coverity-ID: 1055116

This is CVE-2013-4368 / XSA-67.

Signed-off-by: Matthew Daley <mattjd@gmail.com>
Fix formatting.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
master commit: 0771faba163769089c9f05f7f76b63e397677613
master date: 2013-10-10 15:19:53 +0200

xen/arch/x86/traps.c patch | blob | blame | history

diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
index f69ca0b5494814164e5224335a63ce229d15f2f1..d33a6ec8a01cb43064c00bf7c0c7cef89788c070 100644 (file)
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -1965,10 +1965,10 @@ static int emulate_privileged_op(struct cpu_user_regs *regs)
                     break;
                 }
             }
-            else
-                read_descriptor(data_sel, v, regs,
-                                &data_base, &data_limit, &ar,
-                                0);
+            else if ( !read_descriptor(data_sel, v, regs,
+                                       &data_base, &data_limit, &ar, 0) ||
+                      !(ar & _SEGMENT_S) || !(ar & _SEGMENT_P) )
+                goto fail;
             data_limit = ~0UL;
             ar = _SEGMENT_WR|_SEGMENT_S|_SEGMENT_DPL|_SEGMENT_P;
         }
Xen (staging and unstable) mirror