WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-changelog

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-changelog] [xen-unstable] [IA64] Check slot for itr.d and itr.i and

from [Xen patchbot-unstable] [Permanent Link][Original]
To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-unstable] [IA64] Check slot for itr.d and itr.i and generate interrupt in case of error.
From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 04 Oct 2007 17:40:16 -0700
Delivery-date: Thu, 04 Oct 2007 17:41:27 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx 
# HG changeset patch
# User Alex Williamson <alex.williamson@xxxxxx>
# Date 1190048367 21600
# Node ID 487df63c4ae9235163f041fbf2a1d8af657630a9
# Parent  b5488dee14af39dc57fa68a5f553617c315bf86b
[IA64] Check slot for itr.d and itr.i and generate interrupt in case of error.

This avoids a buffer overflow in Xen.

Signed-off-by: Tristan Gingold <tgingold@xxxxxxx>
---
 xen/arch/ia64/vmx/vmmu.c     |   12 ++++++++++++
 xen/arch/ia64/vmx/vmx_virt.c |   20 ++++++++++++++++++--
 2 files changed, 30 insertions(+), 2 deletions(-)

diff -r b5488dee14af -r 487df63c4ae9 xen/arch/ia64/vmx/vmmu.c
--- a/xen/arch/ia64/vmx/vmmu.c  Mon Sep 17 09:28:58 2007 -0600
+++ b/xen/arch/ia64/vmx/vmmu.c  Mon Sep 17 10:59:27 2007 -0600
@@ -403,6 +403,12 @@ IA64FAULT vmx_vcpu_itr_i(VCPU *vcpu, u64
     }
     thash_purge_entries(vcpu, va, ps);
 #endif
+
+    if (slot >= NITRS) {
+        panic_domain(NULL, "bad itr.i slot (%ld)", slot);
+        return IA64_FAULT;
+    }
+        
     pte &= ~PAGE_FLAGS_RV_MASK;
     vcpu_get_rr(vcpu, va, &rid);
     rid = rid& RR_RID_MASK;
@@ -431,6 +437,12 @@ IA64FAULT vmx_vcpu_itr_d(VCPU *vcpu, u64
         return IA64_FAULT;
     }
 #endif   
+
+    if (slot >= NDTRS) {
+        panic_domain(NULL, "bad itr.d slot (%ld)", slot);
+        return IA64_FAULT;
+    }
+
     pte &= ~PAGE_FLAGS_RV_MASK;
 
     /* This is a bad workaround
diff -r b5488dee14af -r 487df63c4ae9 xen/arch/ia64/vmx/vmx_virt.c
--- a/xen/arch/ia64/vmx/vmx_virt.c      Mon Sep 17 09:28:58 2007 -0600
+++ b/xen/arch/ia64/vmx/vmx_virt.c      Mon Sep 17 10:59:27 2007 -0600
@@ -567,6 +567,7 @@ static IA64FAULT vmx_emul_itr_d(VCPU *vc
 static IA64FAULT vmx_emul_itr_d(VCPU *vcpu, INST64 inst)
 {
     u64 itir, ifa, pte, slot;
+    ISR isr;
 #ifdef  VMAL_NO_FAULT_CHECK
     IA64_PSR  vpsr;
     vpsr.val=vmx_vcpu_get_psr(vcpu);
@@ -575,7 +576,6 @@ static IA64FAULT vmx_emul_itr_d(VCPU *vc
         illegal_op(vcpu);
         return IA64_FAULT;
     }
-    ISR isr;
     if ( vpsr.cpl != 0) {
         /* Inject Privileged Operation fault into guest */
         set_privileged_operation_isr (vcpu, 0);
@@ -618,14 +618,22 @@ static IA64FAULT vmx_emul_itr_d(VCPU *vc
    }
 #endif // VMAL_NO_FAULT_CHECK
 
+    if (slot >= NDTRS) {
+        isr.val = set_isr_ei_ni(vcpu);
+        isr.code = IA64_RESERVED_REG_FAULT;
+        vcpu_set_isr(vcpu, isr.val);
+        rsv_reg_field(vcpu);
+        return IA64_FAULT;
+    }
+
     return (vmx_vcpu_itr_d(vcpu,slot,pte,itir,ifa));
 }
 
 static IA64FAULT vmx_emul_itr_i(VCPU *vcpu, INST64 inst)
 {
     u64 itir, ifa, pte, slot;
-#ifdef  VMAL_NO_FAULT_CHECK
     ISR isr;
+#ifdef  VMAL_NO_FAULT_CHECK
     IA64_PSR  vpsr;
     vpsr.val=vmx_vcpu_get_psr(vcpu);
     if ( vpsr.ic ) {
@@ -675,6 +683,14 @@ static IA64FAULT vmx_emul_itr_i(VCPU *vc
    }
 #endif // VMAL_NO_FAULT_CHECK
 
+    if (slot >= NITRS) {
+        isr.val = set_isr_ei_ni(vcpu);
+        isr.code = IA64_RESERVED_REG_FAULT;
+        vcpu_set_isr(vcpu, isr.val);
+        rsv_reg_field(vcpu);
+        return IA64_FAULT;
+    }
+ 
    return (vmx_vcpu_itr_i(vcpu,slot,pte,itir,ifa));
 }
 

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-unstable] [IA64] Check slot for itr.d and itr.i and generate interrupt in case of error., Xen patchbot-unstable <=
Previous by Date:  [Xen-changelog] [xen-unstable] Extend 'xm dumppolicy' to support Xen-API, Xen patchbot-unstable
Next by Date:  [Xen-changelog] [xen-unstable] [IA64] Add xenitp tool, Xen patchbot-unstable
Previous by Thread:  [Xen-changelog] [xen-unstable] Extend 'xm dumppolicy' to support Xen-API, Xen patchbot-unstable
Next by Thread:  [Xen-changelog] [xen-unstable] [IA64] Add xenitp tool, Xen patchbot-unstable
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy