From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Tue, 12 Sep 2017 13:06:39 +0000 (+0200)
Subject: grant_table: fix GNTTABOP_cache_flush handling
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=e5740469878fc2c2a69b70a3b846c6a9121df34b;p=people%2Froyger%2Fxen.git

grant_table: fix GNTTABOP_cache_flush handling

Don't fall over a NULL grant_table pointer when the owner of the domain
is a system domain (DOMID_{XEN,IO} etc).

This is CVE-2017-14318 / XSA-232.

Reported-by: Matthew Daley <mattd@bugfuzz.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
master commit: c3d830b244998b3686e2eb64db95996be5eb5e5c
master date: 2017-09-12 14:44:11 +0200
---

diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
index 5e3678a5f4..288aebf165 100644
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -3030,7 +3030,7 @@ static int __gnttab_cache_flush(gnttab_cache_flush_t *cflush,
 
     page = mfn_to_page(mfn);
     owner = page_get_owner_and_reference(page);
-    if ( !owner )
+    if ( !owner || !owner->grant_table )
     {
         rcu_unlock_domain(d);
         return -EPERM;