This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-changelog] [xen-unstable] ioemu: Fix PVFB backend to limit frame bu

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-unstable] ioemu: Fix PVFB backend to limit frame buffer size
From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 15 May 2008 04:40:24 -0700
Delivery-date: Thu, 15 May 2008 04:41:01 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1210840598 -3600
# Node ID 9044705960cb30cec385bdca7305bcf7db096721
# Parent  86587698116d742ff257e64ddfd230157fcee42c
ioemu: Fix PVFB backend to limit frame buffer size

The recent fix to validate the frontend's frame buffer description
neglected to limit the frame buffer size correctly.  This lets a
malicious frontend make the backend attempt to map an arbitrary amount
of guest memory, which could be useful for a denial of service attack
against dom0.

Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
 tools/ioemu/hw/xenfb.c |    1 +
 1 files changed, 1 insertion(+)

diff -r 86587698116d -r 9044705960cb tools/ioemu/hw/xenfb.c
--- a/tools/ioemu/hw/xenfb.c    Wed May 14 14:12:53 2008 +0100
+++ b/tools/ioemu/hw/xenfb.c    Thu May 15 09:36:38 2008 +0100
@@ -502,6 +502,7 @@ static int xenfb_configure_fb(struct xen
                        "FB: frontend fb size %zu limited to %zu\n",
                        fb_len, fb_len_lim);
+               fb_len = fb_len_lim;
        if (depth != 8 && depth != 16 && depth != 24 && depth != 32) {

Xen-changelog mailing list

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-unstable] ioemu: Fix PVFB backend to limit frame buffer size, Xen patchbot-unstable <=