[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Out of bounds access in early boot code related to GRUB

To: Daniel Kiper <daniel.kiper@xxxxxxxxxx>
From: Wei Liu <wei.liu2@xxxxxxxxxx>
Date: Wed, 19 Sep 2018 10:34:47 +0100
Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>
Delivery-date: Wed, 19 Sep 2018 09:34:53 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi Daniel,

I discovered an out of bounds access issue related to GRUB relocation
code path when inspecting early boot code.

9589927e5b changed an EFI only path to work with GRUB. Yet the following
two lines within an if condition remained untouched.

    mod[mbi->mods_count].mod_start = virt_to_mfn(_stext);
    mod[mbi->mods_count].mod_end = __2M_rwdata_end - _stext;

Before your change they were fine because the mod array was created one
element larger in Xen (see e22e1c47958a). I don't think GRUB does the
same. So this is an out of bounds access for GRUB case.

Wei.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] Out of bounds access in early boot code related to GRUB
  - From: Daniel Kiper

Prev by Date: Re: [Xen-devel] [PATCH v9 5/7] memory: add check_get_page_from_gfn() as a wrapper...
Next by Date: Re: [Xen-devel] [PATCH] Make credit2 the default scheduler
Previous by thread: [Xen-devel] [PATCH v3] x86/pvh: copy data from low 1MB to Dom0 physmap instead of mapping it
Next by thread: Re: [Xen-devel] Out of bounds access in early boot code related to GRUB
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.