From patchwork Mon Mar 17 23:08:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Volodymyr Babchuk X-Patchwork-Id: 14020027 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id D698CC282EC for ; Mon, 17 Mar 2025 23:08:31 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.918192.1322917 (Exim 4.92) (envelope-from ) id 1tuJZ8-0004D5-Vh; Mon, 17 Mar 2025 23:08:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 918192.1322917; Mon, 17 Mar 2025 23:08:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1tuJZ8-0004Cy-T3; Mon, 17 Mar 2025 23:08:14 +0000 Received: by outflank-mailman (input) for mailman id 918192; Mon, 17 Mar 2025 23:08:14 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1tuJZ8-0004Cs-BC for xen-devel@lists.xenproject.org; Mon, 17 Mar 2025 23:08:14 +0000 Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on20609.outbound.protection.outlook.com [2a01:111:f403:2613::609]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id b30fff00-0384-11f0-9899-31a8f345e629; Tue, 18 Mar 2025 00:08:12 +0100 (CET) Received: from GV1PR03MB10456.eurprd03.prod.outlook.com (2603:10a6:150:16a::21) by PAXPR03MB8015.eurprd03.prod.outlook.com (2603:10a6:102:21e::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8534.33; Mon, 17 Mar 2025 23:08:09 +0000 Received: from GV1PR03MB10456.eurprd03.prod.outlook.com ([fe80::a41e:5aa8:e298:757e]) by GV1PR03MB10456.eurprd03.prod.outlook.com ([fe80::a41e:5aa8:e298:757e%4]) with mapi id 15.20.8534.031; Mon, 17 Mar 2025 23:08:08 +0000 X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: b30fff00-0384-11f0-9899-31a8f345e629 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=gihpf9zPBTA12I+Wgp3vznpi64udN0vrkjarJczbmjLEmaHy40JmqKMvxyGksWXX1pXbYIszvrLJZUkk/bhvsEbg6xbmRDkevyda+PeuBQnT0XRBOw53xk9ZAIOQGHoSr0cj1Y10b3yWQ3gszdervo+DLc/mRd580a66qDbzY0yM5bbQuF4CvljqfBmGQiP09vo8rOGuyuZ9HUIxSuPv2N/JqRNA3a/OirjxsyWQZhRIyerJ8j5+Zm9nykgp8ms5a3hs/CONFtmpUIpoimQuFk1gxKl4ifZZbL36h5oXSHsYNh/nugXl10FSX6rQjFYsnXKAyAjG2Yr2KR1/J15wVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DlMwrJCMLe42goTjVdw8aYjZxe8B17WCQCexhbej2/E=; b=NlT5wUn6RC6rPfyx2p1+4TAMQVK1UKe/l6Xe6/+B3NS6x80py9t2VRlgSNFbw2geycJq/HTAv2YGtUVl+PjNj/m0v3Lt2SyJ7OB2LKVTqrraa1q/fUM/I12tpNL3lX7sEkyeX6aiUiOYCjgTakbFndw+FV+WNiy/wna8QHt4xSU3XIRQ2SRy4wwoOqZxf2ezg6/6QSaYV66qeNLyRHjkEScGUR2Ba//Qj3nLx7SeTs5irS1/h2bxDo+viBTMntAxEmSZzWDH0CDea7bXNMgFKoQ9y2djM80+ARbCLyO1hQc4PvDcKI9uZe4mXLt6QaEq7wnnRmqZFP02pKpz/jROGg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=epam.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DlMwrJCMLe42goTjVdw8aYjZxe8B17WCQCexhbej2/E=; b=IRPN8cRMXAZCaC3JB7HRNnDfxShC0KCiPM7LSDNgLWYZ2KWYOauqGjdUXYlNDN0My8soZTlFRaNre6tIQsqn/bmMC6Wuz9pHX94/EwoPRkJ+o2rkjL06UTJ0lVgc6lJmbDw/6NUWfSszLeTPSRHGNEDjTImHt3iFI1oOftfehelAf/PotIshssrdaub8QE+SiIqm03J+wTEIGZDo0GrGYlc0D/2CI5wlf4DFowNXe8xVOMgwkCi5p2WpamhdZXH1iCy65UB0J07cUdkJKy8C9y0IYEgfiJyUVmhGYPnN4tDquh2QGOWfoPKz3IZH63wJOE4S1WtCJ7Z8+EDSn2WsDA== From: Volodymyr Babchuk To: "xen-devel@lists.xenproject.org" CC: Stefano Stabellini , =?iso-8859-1?q?Roger_Pau_Mo?= =?iso-8859-1?q?nn=E9?= , Volodymyr Babchuk , Tamas K Lengyel , Alexandru Isaila , Petre Pircalabu Subject: [PATCH] xen: vm_event: do not do vm_event_op for an invalid domain Thread-Topic: [PATCH] xen: vm_event: do not do vm_event_op for an invalid domain Thread-Index: AQHbl5FytTUpgHIInUKTmFbOO0oHkQ== Date: Mon, 17 Mar 2025 23:08:08 +0000 Message-ID: <20250317230806.1179478-1-volodymyr_babchuk@epam.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: git-send-email 2.48.1 authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: GV1PR03MB10456:EE_|PAXPR03MB8015:EE_ x-ms-office365-filtering-correlation-id: 6bfc5ee5-722e-4dad-6f68-08dd65a8953c x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0;ARA:13230040|376014|366016|1800799024|38070700018; x-microsoft-antispam-message-info: =?iso-8859-1?q?xiKZ6HEk/xLSom46P1sRm9Vp8M?= =?iso-8859-1?q?Uv0WS9Z8z5m2TGzKGy8VLqD+Ymu2daRcPKPWBR6ZNBAnQfmFiyuYSuLXexQj?= =?iso-8859-1?q?sFjQTuLJ7005YRlDCtCfOQgGeQUPJIZ4z3PTHetnRu0AZ6rcEWMQGPj34qg2?= =?iso-8859-1?q?+D9pVNILAs3dT8oxsALUQ8GlSKrb9QJgtcuylfP6prj2fDsXPdOWg6LJ9Enx?= =?iso-8859-1?q?XtJsCEIgKwso2qLOlPOlEv41kf8+ftacnigrXfpB+vM++5XhWEOrlQ1wOGTB?= =?iso-8859-1?q?Tb9/9tx7XVZMWqxcGWRC505eDFuEBnodTuxHlbOUITX991yYOfTaoZckxbAG?= =?iso-8859-1?q?FjZB0MmsAiEPaM6l8IUcQWJwKtP6N56f50hvV3suTxvoBpBOkVES3GmX3NYz?= =?iso-8859-1?q?phsvYp1wKXPKsQZidLeVcMGNkPdFklyplR6Rj4yheQCYsd16fcJU6HFNj6Zb?= =?iso-8859-1?q?aTkH7FB7HLh1q8OmRu7a7pHyDCKvguTOSrkXyvv5X9nXoRbXW6P7MVby79bo?= =?iso-8859-1?q?DQWIANIr0cNkIJa88+nkJleiQHNbAnVhxZbXK7Xd+p8nUH6N1rbcZInYc3Jg?= =?iso-8859-1?q?hMR6JIVqj4lGtPcigJoCF9ShdnzdbwJMe3tp25dbdCefQ74tDJs0ryt7P7ON?= =?iso-8859-1?q?49b0AtQF+SucH8AgkULgWonI2oUKMMjADcnNVp0Il8lh3XFHonk/Azi6WTRS?= =?iso-8859-1?q?rC5tQCdcScC083FJEL6pKOQSRlMOoPAbGvOENXY6zMspq6GWkM6407LJlZol?= =?iso-8859-1?q?j0vI2MOCKeRY2Ws148n4y7pYG0C2yNmFpVvbDO6/SNfFQx7UG5+IEh7YAy/C?= =?iso-8859-1?q?Tfv59qQhFeHApTfPDG0TeaxkxWeTa79ceY1xp+YN48RoLd8ISgIX2GMZau6H?= =?iso-8859-1?q?NWSoVrMbOPHo+Jz3Z5olU82CbSmqoMAwUUwjVmEmQnjeIz2mONPJuYNAQdvu?= =?iso-8859-1?q?zVM1lpQ1aovp62o8k8r/FdStkx6qw/+4JD/kL90SWgMC3eItTtR2qF021HGW?= =?iso-8859-1?q?qrl5a9WjCThM0carssNyC8bd1wgRkligsof+25jy/+rRAFMXzxMQHhlQO26R?= =?iso-8859-1?q?FfGOoBuZ+7O+LwPB6J+coEXElo9Lt073Az29OnIJoKNHTLskUY6JWnVTy0fw?= =?iso-8859-1?q?5fft6TKur7ocTxk19D99jkZwBJ/BLeQEOqvrErDIVaS7DZciER04DTNgfOsX?= =?iso-8859-1?q?vrodh5bjihWWKBHWPd9FMHMi2VomSl2OHjc1qChhh7RracmAa6C1ydruKZQ/?= =?iso-8859-1?q?RJVwsY7Zx/gth/2AQVNqOmxuWhD2IZTyjmVV2N6O0JiQdk52dW64O8TzdfDk?= =?iso-8859-1?q?b2K42EA0KbuyLv7uigavrrGAiO1pLkRuByq7jd6DEaOMhKV9fZwik+LU/uge?= =?iso-8859-1?q?hmCSKRgyKIiZsEMRJwfUN/MYd1kzQ/cxO9+MaIABodOcUOXjw1TOI7LyPBVd?= =?iso-8859-1?q?aLlw7LE+b7uWDNQFIvXTz7BYb90Ly8kUHjmWEnoi1DgZGUUAdMdgur5+nmtw?= =?iso-8859-1?q?Afqxkf?= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GV1PR03MB10456.eurprd03.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(38070700018);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?q?KlwNq2ckI7SuQVbECYIeyF9?= =?iso-8859-1?q?6FW50XYvhYF+6mZ6or2THROYiqsDRqyWM8Wap3ZD5Fe3ttio90ndOGIgn9Zw?= =?iso-8859-1?q?PHaYwrD8LzbJP+uygLFtbb6HX/jayMSxaXEdaQ3xUjO5k+doYmMaofmN9uTP?= =?iso-8859-1?q?Rg5Ui+RQS9f+gwYtx5xJMQ9rfgz4XOT9SOPA8sZt3zIiZl3gOrIFzSeMPrUs?= =?iso-8859-1?q?KX8yKvfQOL/unJYCU/Ddyi0lmF7gMwcAwl2vwrld7JhABvHVT2KTVdQ+FEs1?= =?iso-8859-1?q?kvIOSum0r1X6lTuDNo6Y5u0sdsWWvy8vs6ILZcKwMe+nKM6ZzQA4j49aneIm?= =?iso-8859-1?q?HDis/q0Q1meEjrSWcJAhP4deav1wlwzTeKxKAMmUp026ulLK5dV72Cy4Eod+?= =?iso-8859-1?q?IzYVunGSPGNwJedfUabLpgK/NdBl4yoU8ul5i+ix3gVbzmjt9Q8E5vlD3ori?= =?iso-8859-1?q?4nysHo2P/qyjIXIU1LRPvJyv6Z4O75YbTrplWB6gg0GsMdzLJ82lvMOoJ9K5?= =?iso-8859-1?q?GizBWkNNhCBGdIcI1Aio0jrLNH98SAl3UR3Xl6BotVUyPHt7Bwi7zjZpqJ3I?= =?iso-8859-1?q?NBBzZ6bFe/XBK68X04Bd1f34Ahrd6nj8SLCDpg6B+5ekIRA6sgxbv7hq9C1S?= =?iso-8859-1?q?QGpZ9QHTo1dwZm03JBsqkkwxTPRHgcL1732+iqeLno8x87xs+D3lPYcMNfIy?= =?iso-8859-1?q?jYLx/4NDLSXHxtNr9R4HVPwRo1Aa0bEE7z1F0ulwJc0YqJ4jHxGG1jEM6pmA?= =?iso-8859-1?q?OzZVEZ0MRGOGZzHjObEGxtGfxq0ErIxr9qMkBSY5c/DXSuTJ8bLSQSab21ih?= =?iso-8859-1?q?gNjTniN0watN12ynNreCh5hm9pN8v1+oV3KXhKMr9MYMVV8pa6uKBKgzIT/N?= =?iso-8859-1?q?2rvzup1JPkO89D5d9WDq8nYQ/2aDjTsBjVIu8FjANMr0k11ZVNhRRDzA6lqh?= =?iso-8859-1?q?oKRut/375MUKljK/ReGfNYWCW/f23OJM+Hg2hOGMS9cbQey2f2s/1oAQVIxv?= =?iso-8859-1?q?xf5j+FlbmGmfcNvPHpT5AgX5aEfSgYl1hHfnS0kG9lkdXYzialXcN30DK9EK?= =?iso-8859-1?q?DatMvbQWp7KtAS8nMMUXU9/tmSC1CjH3VlOcXb85pp9NQSqoHwvMugAx9OqV?= =?iso-8859-1?q?xNS9G43Gx1SSEF2SvWRNDwuKn/Uud5lBs3Qn/x7GKi8wCTARLqZdNHXGSwtH?= =?iso-8859-1?q?q4Gx3Q3CbAY6nGr28vSCe1+oNR0Z5Qa3/1dnjAyBGPFd3VilhvUDJ264VJyW?= =?iso-8859-1?q?8YdXlP6Edr0eI6X7b5iZmoNm2D/DSen0YlV6BNwO6lbi3DGrcPPfppIBAi5R?= =?iso-8859-1?q?Jj6bcKd7bePnfrEiH+LUWRyeOGZu+tncpLA1G9JqPbRYsdXJMmgrcGZiVEbn?= =?iso-8859-1?q?kxuEkiEh47yyW9x25DZzaQKB6spr0UYnkaVG1vZdRBB5Cg2Bbf4o5XiLhLhH?= =?iso-8859-1?q?U9H32pbD3YPhhATWEplsEE/WPXjACJhAtUhSeFjax2NqzZf+c57w26LtBHoN?= =?iso-8859-1?q?RNOS4+3+YoMn8jQpTqKYYjxTA3sNW1b5GmrISKbY6AV4/n6HgPwY/30z95IH?= =?iso-8859-1?q?w/zrXw8xzJ9KfTBl25nQuKbGoJIrlmdV8+G1HBwL30p3K9iqAq53CDY5ar5H?= =?iso-8859-1?q?gjf+eaKWq5tncX8J/O5u8QE/c/3+MgufNoCeaMw=3D=3D?= MIME-Version: 1.0 X-OriginatorOrg: epam.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: GV1PR03MB10456.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6bfc5ee5-722e-4dad-6f68-08dd65a8953c X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Mar 2025 23:08:08.8573 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: b41b72d0-4e9f-4c26-8a69-f949f367c91d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 69liaeHsV4NZgYMEBZfPbqJYwbrdAzB5G1B6s+XNvdMaNah4MART4ZA2Yn1BCVkA/cDt421XarURE038qxFg3/GBNLYwTpEfddvq//92ECc= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR03MB8015 A privileged domain can issue XEN_DOMCTL_vm_event_op with op->domain == DOMID_INVALID. In this case vm_event_domctl() function will get NULL as the first parameter and this will cause hypervisor panic, as it tries to derefer this pointer. Fix the issue by checking if valid domain is passed in. Signed-off-by: Volodymyr Babchuk --- This issue was found by the xen fuzzer ([1]) [1] https://lore.kernel.org/all/20250315003544.1101488-1-volodymyr_babchuk@epam.com/ --- xen/common/vm_event.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/xen/common/vm_event.c b/xen/common/vm_event.c index fbf1aa0848..a4c233de52 100644 --- a/xen/common/vm_event.c +++ b/xen/common/vm_event.c @@ -600,6 +600,13 @@ int vm_event_domctl(struct domain *d, struct xen_domctl_vm_event_op *vec) return 0; } + if ( unlikely(!d) ) + { + gdprintk(XENLOG_INFO, + "Tried to do a memory event op on invalid domain\n"); + return -EINVAL; + } + rc = xsm_vm_event_control(XSM_PRIV, d, vec->mode, vec->op); if ( rc ) return rc;