On Tue, 2012-01-03 at 19:42 +0000, Haogang Chen wrote: > There is a potential integer overflow in process_msg() that could result > in cross-domain attack. > > body = kmalloc(msg->hdr.len + 1, GFP_NOIO | __GFP_HIGH); > > When a malicious guest passes 0xffffffff in msg->hdr.len, the subsequent > call to xb_read() would write to a zero-length buffer.
The other end of this connection is always the xenstore backend daemon so there is no guest (malicious or otherwise) which can do this. The xenstore daemon is a trusted component in the system. However this seem like a reasonable robustness improvement so we should have it. > This causes > kernel oops in the receiving guest and hangs its xenbus kernel thread. > The patch returns -EINVAL in that case. > > Signed-off-by: Haogang Chen <[email protected]> Acked-by: Ian Campbell <[email protected]> > --- > drivers/xen/xenbus/xenbus_xs.c | 6 ++++++ > 1 files changed, 6 insertions(+), 0 deletions(-) > > diff --git a/drivers/xen/xenbus/xenbus_xs.c b/drivers/xen/xenbus/xenbus_xs.c > index ede860f..e32aefb 100644 > --- a/drivers/xen/xenbus/xenbus_xs.c > +++ b/drivers/xen/xenbus/xenbus_xs.c > @@ -801,6 +801,12 @@ static int process_msg(void) > goto out; > } > > + if (msg->hdr.len == UINT_MAX) { > + kfree(msg); > + err = -EINVAL; > + goto out; > + } > + > body = kmalloc(msg->hdr.len + 1, GFP_NOIO | __GFP_HIGH); > if (body == NULL) { > kfree(msg); _______________________________________________ Virtualization mailing list [email protected] https://lists.linuxfoundation.org/mailman/listinfo/virtualization
