46 lines
1.6 KiB
Diff
46 lines
1.6 KiB
Diff
|
# HG changeset patch
|
||
|
|
# User Ian Campbell <ian.campbell@citrix.com>
|
||
|
|
# Date 1347365203 -7200
|
||
|
|
# Node ID fcf567acc92ae57f4adfbe967b01a2ba0390c08f
|
||
|
|
# Parent 0dba5a8886556f1b92e59eb19c570ad1704037f6
|
||
|
|
tmem: consistently make pool_id a uint32_t
|
||
|
|
|
||
|
|
Treating it as an int could allow a malicious guest to provide a
|
||
|
|
negative pool_Id, by passing the MAX_POOLS_PER_DOMAIN limit check and
|
||
|
|
allowing access to the negative offsets of the pool array.
|
||
|
|
|
||
|
|
This is part of XSA-15 / CVE-2012-3497.
|
||
|
|
|
||
|
|
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
|
||
|
|
Committed-by: Jan Beulich <jbeulich@suse.com>
|
||
|
|
|
||
|
|
--- a/xen/common/tmem.c
|
||
|
|
+++ b/xen/common/tmem.c
|
||
|
|
@@ -2417,7 +2417,7 @@ static NOINLINE int tmemc_save_subop(int
|
||
|
|
return rc;
|
||
|
|
}
|
||
|
|
|
||
|
|
-static NOINLINE int tmemc_save_get_next_page(int cli_id, int pool_id,
|
||
|
|
+static NOINLINE int tmemc_save_get_next_page(int cli_id, uint32_t pool_id,
|
||
|
|
tmem_cli_va_t buf, uint32_t bufsize)
|
||
|
|
{
|
||
|
|
client_t *client = tmh_client_from_cli_id(cli_id);
|
||
|
|
@@ -2509,7 +2509,7 @@ out:
|
||
|
|
return ret;
|
||
|
|
}
|
||
|
|
|
||
|
|
-static int tmemc_restore_put_page(int cli_id, int pool_id, OID *oidp,
|
||
|
|
+static int tmemc_restore_put_page(int cli_id, uint32_t pool_id, OID *oidp,
|
||
|
|
uint32_t index, tmem_cli_va_t buf, uint32_t bufsize)
|
||
|
|
{
|
||
|
|
client_t *client = tmh_client_from_cli_id(cli_id);
|
||
|
|
@@ -2521,7 +2521,7 @@ static int tmemc_restore_put_page(int cl
|
||
|
|
return do_tmem_put(pool,oidp,index,0,0,0,bufsize,buf.p);
|
||
|
|
}
|
||
|
|
|
||
|
|
-static int tmemc_restore_flush_page(int cli_id, int pool_id, OID *oidp,
|
||
|
|
+static int tmemc_restore_flush_page(int cli_id, uint32_t pool_id, OID *oidp,
|
||
|
|
uint32_t index)
|
||
|
|
{
|
||
|
|
client_t *client = tmh_client_from_cli_id(cli_id);
|