xen-changelog

[Top] [All Lists]

[Xen-changelog] [xen-3.2-testing] ioemu: Fix PVFB backend to limit frame

from [Xen patchbot-3.2-testing]

[Permanent Link][Original]

To:	xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject:	[Xen-changelog] [xen-3.2-testing] ioemu: Fix PVFB backend to limit frame buffer size
From:	"Xen patchbot-3.2-testing" <patchbot-3.2-testing@xxxxxxxxxxxxxxxxxxx>
Date:	Thu, 15 May 2008 07:30:31 -0700
Delivery-date:	Thu, 15 May 2008 07:30:44 -0700
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxx
List-help:	<mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id:	BK change log <xen-changelog.lists.xensource.com>
List-post:	<mailto:xen-changelog@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to:	xen-devel@xxxxxxxxxxxxxxxxxxx
Sender:	xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx

# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1210841612 -3600
# Node ID 57cfcbe761b8aeb03f430c828e25a400d7a9b2d6
# Parent  11dc8a6ba4a5309de982d1ecc25f15e0412449ea
ioemu: Fix PVFB backend to limit frame buffer size

The recent fix to validate the frontend's frame buffer description
neglected to limit the frame buffer size correctly.  This lets a
malicious frontend make the backend attempt to map an arbitrary amount
of guest memory, which could be useful for a denial of service attack
against dom0.

Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
xen-unstable changeset:   17643:9044705960cb30cec385bdca7305bcf7db096721
xen-unstable date:        Thu May 15 09:36:38 2008 +0100
---
 tools/ioemu/hw/xenfb.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletion(-)

diff -r 11dc8a6ba4a5 -r 57cfcbe761b8 tools/ioemu/hw/xenfb.c
--- a/tools/ioemu/hw/xenfb.c    Thu May 15 09:47:41 2008 +0100
+++ b/tools/ioemu/hw/xenfb.c    Thu May 15 09:53:32 2008 +0100
@@ -481,9 +481,15 @@ static int xenfb_configure_fb(struct xen
        size_t mfn_sz = sizeof(*((struct xenfb_page *)0)->pd);
        size_t pd_len = sizeof(((struct xenfb_page *)0)->pd) / mfn_sz;
        size_t fb_pages = pd_len * XC_PAGE_SIZE / mfn_sz;
-       size_t fb_len_max = fb_pages * XC_PAGE_SIZE;
+       size_t fb_len_lim = fb_pages * XC_PAGE_SIZE;
        int max_width, max_height;
 
+       if (fb_len > fb_len_lim) {
+               fprintf(stderr,
+                       "FB: frontend fb size %zu limited to %zu\n",
+                       fb_len, fb_len_lim);
+               fb_len = fb_len_lim;
+       }
        if (depth != 8 && depth != 16 && depth != 24 && depth != 32) {
                fprintf(stderr,
                        "FB: can't handle frontend fb depth %d\n",

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Xen-changelog] [xen-3.2-testing] ioemu: Fix PVFB backend to limit frame buffer size, Xen patchbot-3.2-testing <=

Previous by Date:	[Xen-changelog] [xen-3.2-testing] xend: fix block protocol mismatch on save/restore, Xen patchbot-3.2-testing
Next by Date:	[Xen-changelog] [xen-3.2-testing] x86: Fix an S3 bug caused by x_firmware_waking_vector, Xen patchbot-3.2-testing
Previous by Thread:	[Xen-changelog] [xen-3.2-testing] xend: fix block protocol mismatch on save/restore, Xen patchbot-3.2-testing
Next by Thread:	[Xen-changelog] [xen-3.2-testing] x86: Fix an S3 bug caused by x_firmware_waking_vector, Xen patchbot-3.2-testing
Indexes:	[Date] [Thread] [Top] [All Lists]