thr3ads.net - Xen devel - [PATCH 02/11] tmem: consistently make pool_id a uint32

If this information is useful, please help other people find it:
Share via:

Jan Beulich

2012-Sep-05 12:34 UTC

[PATCH 02/11] tmem: consistently make pool_id a uint32_t

Treating it as an int could allow a malicious guest to provide a
negative pool_Id, by passing the MAX_POOLS_PER_DOMAIN limit check and
allowing access to the negative offsets of the pool array.

This is part of XSA-15 / CVE-2012-3497.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/common/tmem.c
+++ b/xen/common/tmem.c
@@ -2417,7 +2417,7 @@ static NOINLINE int tmemc_save_subop(int
     return rc;
 }
 
-static NOINLINE int tmemc_save_get_next_page(int cli_id, int pool_id,
+static NOINLINE int tmemc_save_get_next_page(int cli_id, uint32_t pool_id,
                         tmem_cli_va_t buf, uint32_t bufsize)
 {
     client_t *client = tmh_client_from_cli_id(cli_id);
@@ -2509,7 +2509,7 @@ out:
     return ret;
 }
 
-static int tmemc_restore_put_page(int cli_id, int pool_id, OID *oidp,
+static int tmemc_restore_put_page(int cli_id, uint32_t pool_id, OID *oidp,
                       uint32_t index, tmem_cli_va_t buf, uint32_t bufsize)
 {
     client_t *client = tmh_client_from_cli_id(cli_id);
@@ -2521,7 +2521,7 @@ static int tmemc_restore_put_page(int cl
     return do_tmem_put(pool,oidp,index,0,0,0,bufsize,buf.p);
 }
 
-static int tmemc_restore_flush_page(int cli_id, int pool_id, OID *oidp,
+static int tmemc_restore_flush_page(int cli_id, uint32_t pool_id, OID *oidp,
                         uint32_t index)
 {
     client_t *client = tmh_client_from_cli_id(cli_id);





_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Dan Magenheimer

2012-Sep-05 16:38 UTC

head link

Re: [PATCH 02/11] tmem: consistently make pool_id a uint32_t

> From: Jan Beulich [mailto:JBeulich@suse.com]
> Sent: Wednesday, September 05, 2012 6:35 AM
> To: xen-devel
> Cc: Dan Magenheimer; Zhenzhong Duan
> Subject: [PATCH 02/11] tmem: consistently make pool_id a uint32_t
> 
> Treating it as an int could allow a malicious guest to provide a
> negative pool_Id, by passing the MAX_POOLS_PER_DOMAIN limit check and
> allowing access to the negative offsets of the pool array.
> 
> This is part of XSA-15 / CVE-2012-3497.
> 
> Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
> Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com>

 > --- a/xen/common/tmem.c
> +++ b/xen/common/tmem.c
> @@ -2417,7 +2417,7 @@ static NOINLINE int tmemc_save_subop(int
>      return rc;
>  }
> 
> -static NOINLINE int tmemc_save_get_next_page(int cli_id, int pool_id,
> +static NOINLINE int tmemc_save_get_next_page(int cli_id, uint32_t pool_id,
>                          tmem_cli_va_t buf, uint32_t bufsize)
>  {
>      client_t *client = tmh_client_from_cli_id(cli_id);
> @@ -2509,7 +2509,7 @@ out:
>      return ret;
>  }
> 
> -static int tmemc_restore_put_page(int cli_id, int pool_id, OID *oidp,
> +static int tmemc_restore_put_page(int cli_id, uint32_t pool_id, OID *oidp,
>                        uint32_t index, tmem_cli_va_t buf, uint32_t bufsize)
>  {
>      client_t *client = tmh_client_from_cli_id(cli_id);
> @@ -2521,7 +2521,7 @@ static int tmemc_restore_put_page(int cl
>      return do_tmem_put(pool,oidp,index,0,0,0,bufsize,buf.p);
>  }
> 
> -static int tmemc_restore_flush_page(int cli_id, int pool_id, OID *oidp,
> +static int tmemc_restore_flush_page(int cli_id, uint32_t pool_id, OID
*oidp,
>                          uint32_t index)
>  {
>      client_t *client = tmh_client_from_cli_id(cli_id);
> 
> 
>

Xen devel - Sep 2012 - [PATCH 02/11] tmem: consistently make pool_id a uint32_t

[PATCH 02/11] tmem: consistently make pool_id a uint32_t

Re: [PATCH 02/11] tmem: consistently make pool_id a uint32_t