On Tue, 2012-01-03 at 19:42 +0000, Haogang Chen wrote:> There is a potential integer overflow in process_msg() that could result
> in cross-domain attack.
>
> body = kmalloc(msg->hdr.len + 1, GFP_NOIO | __GFP_HIGH);
>
> When a malicious guest passes 0xffffffff in msg->hdr.len, the subsequent
> call to xb_read() would write to a zero-length buffer.
The other end of this connection is always the xenstore backend daemon
so there is no guest (malicious or otherwise) which can do this. The
xenstore daemon is a trusted component in the system.
However this seem like a reasonable robustness improvement so we should
have it.
> This causes
> kernel oops in the receiving guest and hangs its xenbus kernel thread.
> The patch returns -EINVAL in that case.
>
> Signed-off-by: Haogang Chen <haogangchen at gmail.com>
Acked-by: Ian Campbell <ian.campbell at citrix.com>
> ---
> drivers/xen/xenbus/xenbus_xs.c | 6 ++++++
> 1 files changed, 6 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/xen/xenbus/xenbus_xs.c
b/drivers/xen/xenbus/xenbus_xs.c
> index ede860f..e32aefb 100644
> --- a/drivers/xen/xenbus/xenbus_xs.c
> +++ b/drivers/xen/xenbus/xenbus_xs.c
> @@ -801,6 +801,12 @@ static int process_msg(void)
> goto out;
> }
>
> + if (msg->hdr.len == UINT_MAX) {
> + kfree(msg);
> + err = -EINVAL;
> + goto out;
> + }
> +
> body = kmalloc(msg->hdr.len + 1, GFP_NOIO | __GFP_HIGH);
> if (body == NULL) {
> kfree(msg);