xenbits.xensource.com Git - xen.git/commit

author	Andrew Cooper <andrew.cooper3@citrix.com>
	Fri, 1 Jul 2016 00:02:04 +0000 (01:02 +0100)
committer	Andrew Cooper <andrew.cooper3@citrix.com>
	Thu, 8 Sep 2016 15:39:46 +0000 (16:39 +0100)
commit	4fa0105d95be6e7145a1f6fd1036ccd43976228c
tree	c69b030ea861ea6a810c878422c5d4aa239c7ab1	tree
parent	7b5cee79dad24e7006059667b02bd7de685d8ee5	commit \| diff

x86/segment: Bounds check accesses to emulation ctxt->seg_reg[]

HVM HAP codepaths have space for all segment registers in the seg_reg[]
cache (with x86_seg_none still risking an array overrun), while the shadow
codepaths only have space for the user segments.

Range check the input segment of *_get_seg_reg() against the size of the array
used to cache the results, to avoid overruns in the case that the callers
don't filter their input suitably.

Subsume the is_x86_user_segment(seg) checks from the shadow code, which were
an incomplete attempt at range checking, and are now superceeded. Make
hvm_get_seg_reg() static, as it is not used outside of shadow/common.c

No functional change, but far easier to reason that no overflow is possible.

Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Tim Deegan <tim@xen.org>
Acked-by: Jan Beulich <jbeulich@suse.com>

xen/arch/x86/hvm/emulate.c		diff \| blob \| blame \| history
xen/arch/x86/mm/shadow/common.c		diff \| blob \| blame \| history
xen/arch/x86/mm/shadow/private.h		diff \| blob \| blame \| history
xen/include/asm-x86/hvm/emulate.h		diff \| blob \| blame \| history