[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH] proper bounds check in do_set_gdt entry point

To: xen-devel@xxxxxxxxxxxxxxxxxxx
From: Chris Wright <chrisw@xxxxxxxx>
Date: Mon, 27 Jun 2005 11:41:57 -0700
Delivery-date: Mon, 27 Jun 2005 18:40:56 +0000
List-id: Xen developer discussion <xen-devel.lists.xensource.com>

Unless I missed something, not bounds checking entries in do_set_gdt is 
a security hole.

Signed-off-by: Chris Wright <chrisw@xxxxxxxx>

--- 1.184/xen/arch/x86/mm.c     2005-06-23 02:35:56 -07:00
+++ edited/xen/arch/x86/mm.c    2005-06-27 11:37:30 -07:00
@@ -2442,6 +2442,9 @@ long do_set_gdt(unsigned long *frame_lis
     unsigned long frames[16];
     long ret;
 
+    if ( entries > FIRST_RESERVED_GDT_ENTRY )
+        return -EINVAL;
+
     if ( copy_from_user(frames, frame_list, nr_pages * sizeof(unsigned long)) )
         return -EFAULT;
 

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH] proper bounds check in do_set_gdt entry point
  - From: Keir Fraser

Prev by Date: [Xen-devel] Graphical control interface support.
Next by Date: [Xen-devel] FYI: 2.6.11 XenLinux has issues with x86-64 ia32 emulation compilation on gcc4
Previous by thread: [Xen-devel] Graphical control interface support.
Next by thread: Re: [Xen-devel] [PATCH] proper bounds check in do_set_gdt entry point
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.