References: bsc#969125 CVE-2015-8817 Subject: exec: Respect as_translate_internal length clamp From: Peter Crosthwaite peter.crosthwaite@xilinx.com Mon Mar 16 22:35:54 2015 -0700 Date: Mon Apr 27 18:24:19 2015 +0200: Git: 23820dbfc79d1c9dce090b4c555994f2bb6a69b3 address_space_translate_internal will clamp the *plen length argument based on the size of the memory region being queried. The iommu walker logic in addresss_space_translate was ignoring this by discarding the post fn call value of *plen. Fix by just always using *plen as the length argument throughout the fn, removing the len local variable. This fixes a bootloader bug when a single elf section spans multiple QEMU memory regions. Signed-off-by: Peter Crosthwaite Message-Id: <1426570554-15940-1-git-send-email-peter.crosthwaite@xilinx.com> Signed-off-by: Paolo Bonzini Index: xen-4.6.1-testing/tools/qemu-xen-dir-remote/exec.c =================================================================== --- xen-4.6.1-testing.orig/tools/qemu-xen-dir-remote/exec.c +++ xen-4.6.1-testing/tools/qemu-xen-dir-remote/exec.c @@ -363,7 +363,6 @@ MemoryRegion *address_space_translate(Ad IOMMUTLBEntry iotlb; MemoryRegionSection *section; MemoryRegion *mr; - hwaddr len = *plen; for (;;) { section = address_space_translate_internal(as->dispatch, addr, &addr, plen, true); @@ -376,7 +375,7 @@ MemoryRegion *address_space_translate(Ad iotlb = mr->iommu_ops->translate(mr, addr, is_write); addr = ((iotlb.translated_addr & ~iotlb.addr_mask) | (addr & iotlb.addr_mask)); - len = MIN(len, (addr | iotlb.addr_mask) - addr + 1); + *plen = MIN(*plen, (addr | iotlb.addr_mask) - addr + 1); if (!(iotlb.perm & (1 << is_write))) { mr = &io_mem_unassigned; break; @@ -387,10 +386,9 @@ MemoryRegion *address_space_translate(Ad if (xen_enabled() && memory_access_is_direct(mr, is_write)) { hwaddr page = ((addr & TARGET_PAGE_MASK) + TARGET_PAGE_SIZE) - addr; - len = MIN(page, len); + *plen = MIN(page, *plen); } - *plen = len; *xlat = addr; return mr; }