From 44dbb797f043cd5ab084726641aeb1d178d18cd0 Mon Sep 17 00:00:00 2001 From: Jan Beulich Date: Tue, 4 Dec 2012 18:50:03 +0000 Subject: [PATCH] memop: limit guest specified extent order Allowing unbounded order values here causes almost unbounded loops and/or partially incomplete requests, particularly in PoD code. The added range checks in populate_physmap(), decrease_reservation(), and the "in" one in memory_exchange() architecturally all could use PADDR_BITS - PAGE_SHIFT, and are being artificially constrained to MAX_ORDER. This is XSA-31 / CVE-2012-5515. Signed-off-by: Jan Beulich Acked-by: Tim Deegan Acked-by: Ian Jackson Committed-by: Ian Jackson --- xen/common/memory.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/xen/common/memory.c b/xen/common/memory.c index 59379d3607..51c3cc6f91 100644 --- a/xen/common/memory.c +++ b/xen/common/memory.c @@ -117,7 +117,8 @@ static void populate_physmap(struct memop_args *a) if ( a->memflags & MEMF_populate_on_demand ) { - if ( guest_physmap_mark_populate_on_demand(d, gpfn, + if ( a->extent_order > MAX_ORDER || + guest_physmap_mark_populate_on_demand(d, gpfn, a->extent_order) < 0 ) goto out; } @@ -216,7 +217,8 @@ static void decrease_reservation(struct memop_args *a) xen_pfn_t gmfn; if ( !guest_handle_subrange_okay(a->extent_list, a->nr_done, - a->nr_extents-1) ) + a->nr_extents-1) || + a->extent_order > MAX_ORDER ) return; for ( i = a->nr_done; i < a->nr_extents; i++ ) @@ -278,6 +280,9 @@ static long memory_exchange(XEN_GUEST_HANDLE(xen_memory_exchange_t) arg) if ( (exch.nr_exchanged > exch.in.nr_extents) || /* Input and output domain identifiers match? */ (exch.in.domid != exch.out.domid) || + /* Extent orders are sensible? */ + (exch.in.extent_order > MAX_ORDER) || + (exch.out.extent_order > MAX_ORDER) || /* Sizes of input and output lists do not overflow a long? */ ((~0UL >> exch.in.extent_order) < exch.in.nr_extents) || ((~0UL >> exch.out.extent_order) < exch.out.nr_extents) || -- 2.39.5