WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-devel] [PATCH] ioemu: Fix PVFB backend to limit frame buffer size

from [Markus Armbruster] [Permanent Link][Original]
To: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-devel] [PATCH] ioemu: Fix PVFB backend to limit frame buffer size
From: Markus Armbruster <armbru@xxxxxxxxxx>
Date: Thu, 15 May 2008 09:53:01 +0200
Delivery-date: Thu, 15 May 2008 00:53:25 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <877idyxq1i.fsf@xxxxxxxxxxxxxxxxx> (Markus Armbruster's message of "Tue\, 13 May 2008 16\:00\:09 +0200")
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <877idyxq1i.fsf@xxxxxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Gnus/5.11 (Gnus v5.11) Emacs/22.1 (gnu/linux) 
The recent fix to validate the frontend's frame buffer description
neglected to limit the frame buffer size correctly.  This lets a
malicious frontend make the backend attempt to map an arbitrary amount
of guest memory, which could be useful for a denial of service attack
against dom0.

Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

diff -r 53195719f762 tools/ioemu/hw/xenfb.c
--- a/tools/ioemu/hw/xenfb.c    Tue May 13 15:08:17 2008 +0100
+++ b/tools/ioemu/hw/xenfb.c    Thu May 15 09:37:18 2008 +0200
@@ -502,6 +502,7 @@ static int xenfb_configure_fb(struct xen
                fprintf(stderr,
                        "FB: frontend fb size %zu limited to %zu\n",
                        fb_len, fb_len_lim);
+               fb_len = fb_len_lim;
        }
        if (depth != 8 && depth != 16 && depth != 24 && depth != 32) {
                fprintf(stderr,

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Xen-devel] VMX status report. Xen: #17630 & Xen0: #540 -- blocked, Li, Haicheng
Next by Date:  RE: [Xen-devel] VMX status report. Xen: #17630 & Xen0: #540 -- blocked, Xu, Dongxiao
Previous by Thread:  Re: [Xen-devel] Fix PVFB backend to validate frontend's frame buffer description, Markus Armbruster
Next by Thread:  [Xen-devel] [PATCH] ioemu: Fix interpretation of missing or zero vfb videoram, Markus Armbruster
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy