common/domain: block speculative out-of-bound accesses

When issuing a vcpu_op hypercall, guests have control over the
vcpuid variable. In the old code, this allowed to perform
speculative out-of-bound accesses. To block this, we make use
of the domain_vcpu function.

This is part of the speculative hardening effort.

Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

diff --git a/xen/common/domain.c b/xen/common/domain.c
index a1f8bb4f2f4f608647adcdf7daaca28d8b391585..88bbe984bc6ce645a00a0d4d864685ff416acd72 100644 (file)
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -1364,7 +1364,7 @@ long do_vcpu_op(int cmd, unsigned int vcpuid, XEN_GUEST_HANDLE_PARAM(void) arg)
     struct vcpu *v;
     long rc = 0;
 
-    if ( vcpuid >= d->max_vcpus || (v = d->vcpu[vcpuid]) == NULL )
+    if ( (v = domain_vcpu(d, vcpuid)) == NULL )
         return -ENOENT;
 
     switch ( cmd )