# HG changeset patch
# User Alex Williamson <alex.williamson@xxxxxx>
# Date 1190048367 21600
# Node ID 487df63c4ae9235163f041fbf2a1d8af657630a9
# Parent b5488dee14af39dc57fa68a5f553617c315bf86b
[IA64] Check slot for itr.d and itr.i and generate interrupt in case of error.
This avoids a buffer overflow in Xen.
Signed-off-by: Tristan Gingold <tgingold@xxxxxxx>
---
xen/arch/ia64/vmx/vmmu.c | 12 ++++++++++++
xen/arch/ia64/vmx/vmx_virt.c | 20 ++++++++++++++++++--
2 files changed, 30 insertions(+), 2 deletions(-)
diff -r b5488dee14af -r 487df63c4ae9 xen/arch/ia64/vmx/vmmu.c
--- a/xen/arch/ia64/vmx/vmmu.c Mon Sep 17 09:28:58 2007 -0600
+++ b/xen/arch/ia64/vmx/vmmu.c Mon Sep 17 10:59:27 2007 -0600
@@ -403,6 +403,12 @@ IA64FAULT vmx_vcpu_itr_i(VCPU *vcpu, u64
}
thash_purge_entries(vcpu, va, ps);
#endif
+
+ if (slot >= NITRS) {
+ panic_domain(NULL, "bad itr.i slot (%ld)", slot);
+ return IA64_FAULT;
+ }
+
pte &= ~PAGE_FLAGS_RV_MASK;
vcpu_get_rr(vcpu, va, &rid);
rid = rid& RR_RID_MASK;
@@ -431,6 +437,12 @@ IA64FAULT vmx_vcpu_itr_d(VCPU *vcpu, u64
return IA64_FAULT;
}
#endif
+
+ if (slot >= NDTRS) {
+ panic_domain(NULL, "bad itr.d slot (%ld)", slot);
+ return IA64_FAULT;
+ }
+
pte &= ~PAGE_FLAGS_RV_MASK;
/* This is a bad workaround
diff -r b5488dee14af -r 487df63c4ae9 xen/arch/ia64/vmx/vmx_virt.c
--- a/xen/arch/ia64/vmx/vmx_virt.c Mon Sep 17 09:28:58 2007 -0600
+++ b/xen/arch/ia64/vmx/vmx_virt.c Mon Sep 17 10:59:27 2007 -0600
@@ -567,6 +567,7 @@ static IA64FAULT vmx_emul_itr_d(VCPU *vc
static IA64FAULT vmx_emul_itr_d(VCPU *vcpu, INST64 inst)
{
u64 itir, ifa, pte, slot;
+ ISR isr;
#ifdef VMAL_NO_FAULT_CHECK
IA64_PSR vpsr;
vpsr.val=vmx_vcpu_get_psr(vcpu);
@@ -575,7 +576,6 @@ static IA64FAULT vmx_emul_itr_d(VCPU *vc
illegal_op(vcpu);
return IA64_FAULT;
}
- ISR isr;
if ( vpsr.cpl != 0) {
/* Inject Privileged Operation fault into guest */
set_privileged_operation_isr (vcpu, 0);
@@ -618,14 +618,22 @@ static IA64FAULT vmx_emul_itr_d(VCPU *vc
}
#endif // VMAL_NO_FAULT_CHECK
+ if (slot >= NDTRS) {
+ isr.val = set_isr_ei_ni(vcpu);
+ isr.code = IA64_RESERVED_REG_FAULT;
+ vcpu_set_isr(vcpu, isr.val);
+ rsv_reg_field(vcpu);
+ return IA64_FAULT;
+ }
+
return (vmx_vcpu_itr_d(vcpu,slot,pte,itir,ifa));
}
static IA64FAULT vmx_emul_itr_i(VCPU *vcpu, INST64 inst)
{
u64 itir, ifa, pte, slot;
-#ifdef VMAL_NO_FAULT_CHECK
ISR isr;
+#ifdef VMAL_NO_FAULT_CHECK
IA64_PSR vpsr;
vpsr.val=vmx_vcpu_get_psr(vcpu);
if ( vpsr.ic ) {
@@ -675,6 +683,14 @@ static IA64FAULT vmx_emul_itr_i(VCPU *vc
}
#endif // VMAL_NO_FAULT_CHECK
+ if (slot >= NITRS) {
+ isr.val = set_isr_ei_ni(vcpu);
+ isr.code = IA64_RESERVED_REG_FAULT;
+ vcpu_set_isr(vcpu, isr.val);
+ rsv_reg_field(vcpu);
+ return IA64_FAULT;
+ }
+
return (vmx_vcpu_itr_i(vcpu,slot,pte,itir,ifa));
}
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|