From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Fri, 14 Jun 2013 15:45:41 +0000 (+0100)
Subject: libxc: range checks in xc_dom_p2m_host and _guest
X-Git-Tag: 4.1.6-rc1~22
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=6eca85d5c144ee8c899ee3cf8791f9087b15f2e8;p=xen.git

libxc: range checks in xc_dom_p2m_host and _guest

These functions take guest pfns and look them up in the p2m.  They did
no range checking.

However, some callers, notably xc_dom_boot.c:setup_hypercall_page want
to pass untrusted guest-supplied value(s).  It is most convenient to
detect this here and return INVALID_MFN.

This is part of the fix to a security issue, XSA-55.

Changes from Xen 4.2 version of this patch:
* 4.2 lacks dom->rambase_pfn, so don't add/subtract/check it.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
---

diff --git a/tools/libxc/xc_dom.h b/tools/libxc/xc_dom.h
index 9dffbe6c1c..316e2ae765 100644
--- a/tools/libxc/xc_dom.h
+++ b/tools/libxc/xc_dom.h
@@ -315,6 +315,8 @@ static inline xen_pfn_t xc_dom_p2m_host(struct xc_dom_image *dom, xen_pfn_t pfn)
 {
     if (dom->shadow_enabled)
         return pfn;
+    if (pfn >= dom->total_pages)
+        return INVALID_MFN;
     return dom->p2m_host[pfn];
 }
 
@@ -323,6 +325,8 @@ static inline xen_pfn_t xc_dom_p2m_guest(struct xc_dom_image *dom,
 {
     if (xc_dom_feature_translated(dom))
         return pfn;
+    if (pfn >= dom->total_pages)
+        return INVALID_MFN;
     return dom->p2m_host[pfn];
 }