WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-changelog

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-changelog] [xen-unstable] ioemu: Fix PVFB backend to limit frame bu

from [Xen patchbot-unstable] [Permanent Link][Original]
To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-unstable] ioemu: Fix PVFB backend to limit frame buffer size
From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 15 May 2008 04:40:24 -0700
Delivery-date: Thu, 15 May 2008 04:41:01 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx 
# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1210840598 -3600
# Node ID 9044705960cb30cec385bdca7305bcf7db096721
# Parent  86587698116d742ff257e64ddfd230157fcee42c
ioemu: Fix PVFB backend to limit frame buffer size

The recent fix to validate the frontend's frame buffer description
neglected to limit the frame buffer size correctly.  This lets a
malicious frontend make the backend attempt to map an arbitrary amount
of guest memory, which could be useful for a denial of service attack
against dom0.

Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
---
 tools/ioemu/hw/xenfb.c |    1 +
 1 files changed, 1 insertion(+)

diff -r 86587698116d -r 9044705960cb tools/ioemu/hw/xenfb.c
--- a/tools/ioemu/hw/xenfb.c    Wed May 14 14:12:53 2008 +0100
+++ b/tools/ioemu/hw/xenfb.c    Thu May 15 09:36:38 2008 +0100
@@ -502,6 +502,7 @@ static int xenfb_configure_fb(struct xen
                fprintf(stderr,
                        "FB: frontend fb size %zu limited to %zu\n",
                        fb_len, fb_len_lim);
+               fb_len = fb_len_lim;
        }
        if (depth != 8 && depth != 16 && depth != 24 && depth != 32) {
                fprintf(stderr,

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-unstable] ioemu: Fix PVFB backend to limit frame buffer size, Xen patchbot-unstable <=
Previous by Date:  [Xen-changelog] [xen-unstable] x86: Implement cpufreq ondemand policy, Xen patchbot-unstable
Next by Date:  [Xen-changelog] [linux-2.6.18-xen] Sync Xen public headers., Xen patchbot-linux-2.6.18-xen
Previous by Thread:  [Xen-changelog] [xen-unstable] x86: Implement cpufreq ondemand policy, Xen patchbot-unstable
Next by Thread:  [Xen-changelog] [linux-2.6.18-xen] Sync Xen public headers., Xen patchbot-linux-2.6.18-xen
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy