Sophie

Sophie

distrib > Scientific%20Linux > 5x > x86_64 > by-pkgid > fc11cd6e1c513a17304da94a5390f3cd > files > 4331

kernel-2.6.18-194.11.1.el5.src.rpm

From: Herbert Xu <herbert.xu@redhat.com>
Subject: [RHEL5 PATCH] privcmd: Range-check hypercall index.
Date: Tue, 7 Nov 2006 04:57:53 +1100
Bugzilla: 213178
Message-Id: <20061106175753.GA32495@gondor.apana.org.au>
Changelog: xen privcmd: Range-check hypercall index.


Hi:

BZ 213178

This patch prevents bugs in libxc from killing a guest kernel,
in particular, dom0.  This isn't a security though since this
ioctl requires root privileges to access.

[LINUX] privcmd: Range-check hypercall index.
Otherwise, bugs in e.g. libxc may bring the kernel down.
Signed-off-by: Jan Beulich <jbeulich@novell.com>

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
Index: latest/drivers/xen/privcmd/privcmd.c
===================================================================
--- latest.orig/drivers/xen/privcmd/privcmd.c
+++ latest/drivers/xen/privcmd/privcmd.c
@@ -52,6 +52,8 @@ static int privcmd_ioctl(struct inode *i
 			return -EFAULT;
 
 #if defined(__i386__)
+		if (hypercall.op >= (PAGE_SIZE >> 5))
+			break;
 		__asm__ __volatile__ (
 			"pushl %%ebx; pushl %%ecx; pushl %%edx; "
 			"pushl %%esi; pushl %%edi; "
@@ -68,21 +70,21 @@ static int privcmd_ioctl(struct inode *i
 			"popl %%ecx; popl %%ebx"
 			: "=a" (ret) : "0" (&hypercall) : "memory" );
 #elif defined (__x86_64__)
-		{
+		if (hypercall.op < (PAGE_SIZE >> 5)) {
 			long ign1, ign2, ign3;
 			__asm__ __volatile__ (
 				"movq %8,%%r10; movq %9,%%r8;"
-				"shlq $5,%%rax ;"
+				"shll $5,%%eax ;"
 				"addq $hypercall_page,%%rax ;"
 				"call *%%rax"
 				: "=a" (ret), "=D" (ign1),
 				  "=S" (ign2), "=d" (ign3)
-				: "0" ((unsigned long)hypercall.op), 
-				"1" ((unsigned long)hypercall.arg[0]), 
-				"2" ((unsigned long)hypercall.arg[1]),
-				"3" ((unsigned long)hypercall.arg[2]), 
-				"g" ((unsigned long)hypercall.arg[3]),
-				"g" ((unsigned long)hypercall.arg[4])
+				: "0" ((unsigned int)hypercall.op),
+				"1" (hypercall.arg[0]),
+				"2" (hypercall.arg[1]),
+				"3" (hypercall.arg[2]),
+				"g" (hypercall.arg[3]),
+				"g" (hypercall.arg[4])
 				: "r8", "r10", "memory" );
 		}
 #elif defined (__ia64__)

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional