]> xenbits.xensource.com Git - xen.git/commitdiff
projects / xen.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3d60903)
libxc/restore: Fix data auditing in handle_x86_pv_vcpu_blob()
authorAndrew Cooper <andrew.cooper3@citrix.com>
Thu, 19 Dec 2019 20:32:20 +0000 (20:32 +0000)
committerIan Jackson <ian.jackson@eu.citrix.com>
Tue, 5 May 2020 14:47:23 +0000 (15:47 +0100)
The current logic only works by chance, in that XSAVE records also tend to be
a multiple of 128.  Implement the missing logic for XSAVE.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
(cherry picked from commit 2a62c22715bf81c5695ae0511f89a940c7c6a492)
(cherry picked from commit 0e2bbcf8b4fe6f5fd23a341848f3785c213b26bb)
(cherry picked from commit 288872ad3bb320bd9f31145d9bd4e53786fa3245)
(cherry picked from commit a58bba28da793da70b93b841289d99370800180c)

tools/libxc/xc_sr_restore_x86_pv.c patch | blob | blame | history

diff --git a/tools/libxc/xc_sr_restore_x86_pv.c b/tools/libxc/xc_sr_restore_x86_pv.c
index f058a37a64bd1f3af2cacfaf35c93fdc4d24d0c3..9d4c611bd5897d4e1e7c2aeaf2cb3a0dbbc92e82 100644 (file)
--- a/tools/libxc/xc_sr_restore_x86_pv.c
+++ b/tools/libxc/xc_sr_restore_x86_pv.c
@@ -824,6 +824,15 @@ static int handle_x86_pv_vcpu_blob(struct xc_sr_context *ctx,
         break;
 
     case REC_TYPE_X86_PV_VCPU_XSAVE:
+        if ( blobsz < 128 )
+        {
+            ERROR("%s record too short: min %zu, got %u",
+                  rec_name, sizeof(*vhdr) + 128, rec->length);
+            goto out;
+        }
+        break;
+
+    case REC_TYPE_X86_PV_VCPU_MSRS:
         if ( blobsz % sizeof(xen_domctl_vcpu_msr_t) != 0 )
         {
             ERROR("%s record payload size %zu expected to be a multiple of %zu",
Xen (staging and unstable) mirror