xen: add missing guest address range checks to XENMEM_exchange handlers Ever since its existence (3.0.3 iirc) the handler for this has been using non address range checking guest memory accessors (i.e. the ones prefixed with two underscores) without first range checking the accessed space (via guest_handle_okay()), allowing a guest to access and overwrite hypervisor memory. This is XSA-29 / CVE-2012-5513. Signed-off-by: Jan Beulich Acked-by: Ian Campbell Acked-by: Ian Jackson diff --git a/xen/common/compat/memory.c b/xen/common/compat/memory.c index 996151c..a49f51b 100644 --- a/xen/common/compat/memory.c +++ b/xen/common/compat/memory.c @@ -115,6 +115,12 @@ int compat_memory_op(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) compat) (cmp.xchg.out.nr_extents << cmp.xchg.out.extent_order)) ) return -EINVAL; + if ( !compat_handle_okay(cmp.xchg.in.extent_start, + cmp.xchg.in.nr_extents) || + !compat_handle_okay(cmp.xchg.out.extent_start, + cmp.xchg.out.nr_extents) ) + return -EFAULT; + start_extent = cmp.xchg.nr_exchanged; end_extent = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.xchg)) / (((1U << ABS(order_delta)) + 1) * diff --git a/xen/common/memory.c b/xen/common/memory.c index 83e2666..bdb6ed8 100644 --- a/xen/common/memory.c +++ b/xen/common/memory.c @@ -308,6 +308,13 @@ static long memory_exchange(XEN_GUEST_HANDLE_PARAM(xen_memory_exchange_t) arg) goto fail_early; } + if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) || + !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) ) + { + rc = -EFAULT; + goto fail_early; + } + /* Only privileged guests can allocate multi-page contiguous extents. */ if ( !multipage_allocation_permitted(current->domain, exch.in.extent_order) ||