This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-devel] [PATCH] ioemu: Fix PVFB backend to limit frame buffer size

To: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-devel] [PATCH] ioemu: Fix PVFB backend to limit frame buffer size
From: Markus Armbruster <armbru@xxxxxxxxxx>
Date: Thu, 15 May 2008 09:53:01 +0200
Delivery-date: Thu, 15 May 2008 00:53:25 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <877idyxq1i.fsf@xxxxxxxxxxxxxxxxx> (Markus Armbruster's message of "Tue\, 13 May 2008 16\:00\:09 +0200")
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <877idyxq1i.fsf@xxxxxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Gnus/5.11 (Gnus v5.11) Emacs/22.1 (gnu/linux)
The recent fix to validate the frontend's frame buffer description
neglected to limit the frame buffer size correctly.  This lets a
malicious frontend make the backend attempt to map an arbitrary amount
of guest memory, which could be useful for a denial of service attack
against dom0.

Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

diff -r 53195719f762 tools/ioemu/hw/xenfb.c
--- a/tools/ioemu/hw/xenfb.c    Tue May 13 15:08:17 2008 +0100
+++ b/tools/ioemu/hw/xenfb.c    Thu May 15 09:37:18 2008 +0200
@@ -502,6 +502,7 @@ static int xenfb_configure_fb(struct xen
                        "FB: frontend fb size %zu limited to %zu\n",
                        fb_len, fb_len_lim);
+               fb_len = fb_len_lim;
        if (depth != 8 && depth != 16 && depth != 24 && depth != 32) {

Xen-devel mailing list