On 07/07/2018 12:05 PM, Paul Durrant wrote:
> @@ -35,17 +93,33 @@ static void iommu_op(xen_iommu_op_t *op)
>
> int do_one_iommu_op(xen_iommu_op_buf_t *buf)
> {
> - xen_iommu_op_t op;
> + xen_iommu_op_t op = {};
> + size_t offset;
> + static const size_t op_size[] = {
> + [XEN_IOMMUOP_query_reserved] = sizeof(struct
> xen_iommu_op_query_reserved),
> + };
> +
> + offset = offsetof(struct xen_iommu_op, u);
>
> - if ( buf->size < sizeof(op) )
> + if ( buf->size < offset )
> return -EFAULT;
>
> - if ( copy_from_guest((void *)&op, buf->h, sizeof(op)) )
> + if ( copy_from_guest((void *)&op, buf->h, offset) )
> return -EFAULT;
>
> if ( op.pad )
> return -EINVAL;
>
> + if ( op.op >= ARRAY_SIZE(op_size) )
> + return -EOPNOTSUPP;
> +
> + if ( buf->size < offset + op_size[op.op] )
> + return -EFAULT;
> +
> + if ( copy_from_guest_offset((void *)&op.u, buf->h, offset,
> + op_size[op.op]) )
> + return -EFAULT;
This looks like part of a potential SP1 gadget, so this needs to use
array_index_nospec().
-George
_______________________________________________
Xen-devel mailing list
[email protected]
https://lists.xenproject.org/mailman/listinfo/xen-devel
