ia64/xen-unstable

changeset 17662:9044705960cb

ioemu: Fix PVFB backend to limit frame buffer size

The recent fix to validate the frontend's frame buffer description
neglected to limit the frame buffer size correctly. This lets a
malicious frontend make the backend attempt to map an arbitrary amount
of guest memory, which could be useful for a denial of service attack
against dom0.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
author Keir Fraser <keir.fraser@citrix.com>
date Thu May 15 09:36:38 2008 +0100 (2008-05-15)
parents 86587698116d
children 29dc52031954
files tools/ioemu/hw/xenfb.c
line diff
     1.1 --- a/tools/ioemu/hw/xenfb.c	Wed May 14 14:12:53 2008 +0100
     1.2 +++ b/tools/ioemu/hw/xenfb.c	Thu May 15 09:36:38 2008 +0100
     1.3 @@ -502,6 +502,7 @@ static int xenfb_configure_fb(struct xen
     1.4  		fprintf(stderr,
     1.5  			"FB: frontend fb size %zu limited to %zu\n",
     1.6  			fb_len, fb_len_lim);
     1.7 +		fb_len = fb_len_lim;
     1.8  	}
     1.9  	if (depth != 8 && depth != 16 && depth != 24 && depth != 32) {
    1.10  		fprintf(stderr,