From patchwork Thu Apr 4 15:12:17 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 10885773 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2996017E1 for ; Thu, 4 Apr 2019 15:14:53 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 11C7F2870F for ; Thu, 4 Apr 2019 15:14:53 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 057082871A; Thu, 4 Apr 2019 15:14:53 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.0 required=2.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id AB5EB2870F for ; Thu, 4 Apr 2019 15:14:52 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1hC42s-0001Qt-GO; Thu, 04 Apr 2019 15:12:50 +0000 Received: from us1-rack-dfw2.inumbo.com ([104.130.134.6]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1hC42r-0001Qo-Pl for xen-devel@lists.xenproject.org; Thu, 04 Apr 2019 15:12:49 +0000 X-Inumbo-ID: 1b26411a-56ec-11e9-92d7-bc764e045a96 Received: from userp2120.oracle.com (unknown [156.151.31.85]) by us1-rack-dfw2.inumbo.com (Halon) with ESMTPS id 1b26411a-56ec-11e9-92d7-bc764e045a96; Thu, 04 Apr 2019 15:12:48 +0000 (UTC) Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x34F91dq040075; Thu, 4 Apr 2019 15:12:33 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : mime-version : content-type; s=corp-2018-07-02; bh=4re2qPgTtoyYXjc/YskDcTdzJNPspAt9xBnTQg3Oids=; b=EotlPhPmwqD7iZUeYWJ/pcBPtcYYHmCwcneUpqssIpb0Lpv4YBRl0cZNg4NTLuPcGjRO 5bbFCp2A8qsO+rtz0HqdCkmZ4Tt15UyHGkyuUMnkXX9ZELSJ/TACymv6iVPXPLhCoLJX w2742Kuj+ScN804BPfpE+OaWtNHrGa2fVEFsh/YJR00LaiC3nTeBjoFusBDHEcdIHmTo tD1JOMZ2+wRB9E57vBocOdExjimLhfsCgqZZECPwAbRIs1Rbs7ZJ18osRbEZ1RTkBubr Uolfu/LTUWo5BhWmXUAXb4Gqy8V9nlwOZAAVdwMbGsTFE9gJsAlOlmAaURoTWnxL+XcU hA== Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by userp2120.oracle.com with ESMTP id 2rj13qfpgq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 04 Apr 2019 15:12:32 +0000 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x34FCF4j149399; Thu, 4 Apr 2019 15:12:32 GMT Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userp3030.oracle.com with ESMTP id 2rm8f5r0um-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 04 Apr 2019 15:12:32 +0000 Received: from abhmp0008.oracle.com (abhmp0008.oracle.com [141.146.116.14]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id x34FCSiX004054; Thu, 4 Apr 2019 15:12:28 GMT Received: from kadam (/41.202.241.49) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 04 Apr 2019 08:12:27 -0700 Date: Thu, 4 Apr 2019 18:12:17 +0300 From: Dan Carpenter To: Boris Ostrovsky Message-ID: <20190404151217.GA22334@kadam> MIME-Version: 1.0 Content-Disposition: inline X-Mailer: git-send-email haha only kidding User-Agent: Mutt/1.9.4 (2018-02-28) X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9216 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=896 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904040098 X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9216 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=934 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904040098 Subject: [Xen-devel] [PATCH] xen: Prevent buffer overflow in privcmd ioctl X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Juergen Gross , Stefano Stabellini , x86@kernel.org, kernel-janitors@vger.kernel.org, Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , xen-devel@lists.xenproject.org, Thomas Gleixner Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP The "call" variable comes from the user in privcmd_ioctl_hypercall(). It's an offset into the hypercall_page[] which has (PAGE_SIZE / 32) elements. We need to put an upper bound on it to prevent an out of bounds access. Fixes: 1246ae0bb992 ("xen: add variable hypercall caller") Signed-off-by: Dan Carpenter Reviewed-by: Boris Ostrovsky --- arch/x86/include/asm/xen/hypercall.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/include/asm/xen/hypercall.h b/arch/x86/include/asm/xen/hypercall.h index de6f0d59a24f..2863c2026655 100644 --- a/arch/x86/include/asm/xen/hypercall.h +++ b/arch/x86/include/asm/xen/hypercall.h @@ -206,6 +206,9 @@ xen_single_call(unsigned int call, __HYPERCALL_DECLS; __HYPERCALL_5ARG(a1, a2, a3, a4, a5); + if (call >= PAGE_SIZE / sizeof(hypercall_page[0])) + return -EINVAL; + asm volatile(CALL_NOSPEC : __HYPERCALL_5PARAM : [thunk_target] "a" (&hypercall_page[call])