From nobody Fri May 06 08:09:38 2022 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 0AE5D1AB3077; Fri, 6 May 2022 08:09:39 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KvjsG6xhJz4Tgs; Fri, 6 May 2022 08:09:38 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1651824579; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=W3sT2I9KwsXFztfU0EhtW8x8upQgWzWuzuOqLxpBMKg=; b=OQKOMzmLmhYhzVJ6rvR6flIxHLdEUuWFW9d8SKh42vJHeqga2bByrDvZ94ZhiyPcBacyX0 IMQfdYjVAZiCOjStqFPRlnS0z+qDbmRF9ohYqDJ6vvf4sLqUcY0Zwv54lm9xHfEoyABOxW S53biJbH6mh6V+Svuh3U+2MEFRNM95Ie9J+3h3iuVVw4QShL9Q/jCthNnnrDadllZ50luT yZsPF87dgAbr5oHrHrp6uioDrrHeEMWrvL/tcSYAJDTCnQpTIA+Yjiq6Dj0LHSe47UOa3D twzMdNNrpN/kTynTrYyYkfA+BsqbQRZ8F+3y8HIoCgc0vma1Lit+Pp7v7zHGGQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id CA3331832F; Fri, 6 May 2022 08:09:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 24689cCx030534; Fri, 6 May 2022 08:09:38 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 24689cEx030533; Fri, 6 May 2022 08:09:38 GMT (envelope-from git) Date: Fri, 6 May 2022 08:09:38 GMT Message-Id: <202205060809.24689cEx030533@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: =?utf-8?Q?Roger Pau Monn=C3=A9?= Subject: git: e99c0c8b79b0 - main - xen: Prevent buffer overflow in privcmd ioctl List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: royger X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: e99c0c8b79b030e6c63e4f7149154d926a360664 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1651824579; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=W3sT2I9KwsXFztfU0EhtW8x8upQgWzWuzuOqLxpBMKg=; b=St37t5sX4WFCOkVY4Yxu3ivgTaUdDh6ErG3cbS+/3uSqmbss+A7znVbjK/rBA0t7XkIUnb w6p0UmJPNtd5JaWA4kfogMuVfAWNX8dIg1A6oEfPesPEVPgY9dTy8Dn+Hbx5+8sU18OhvI 6QE2i7NzPUmKmndDArg+ybbFt/4CnuYPXyo4Swg4ffZnqM+vhVae25ODCGsPtCsnq32vad BQZdMoDK7Im5315WuJvbEcCmZ/N19iWREnE5RsENzpgxL7JkaYYqZVeELrp18My/vuTkZe A4ncFfXctPD+SBG9u6MhnyR3vQBlejRWEBw9fwaKzG6TNLtgapdpWbFQ2A6RZw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1651824579; a=rsa-sha256; cv=none; b=qGYSvehaVBtB077vgwZfewOFcDF2bMwJqTpo5QcCzKePkUhKrFlRg5Y2cZfJpE4CJ6C6gO 1bZw5Z68ID+Hpv+lS+zf1Hm45QmbiR1Si7aJr0ZCCJVlzpXUoOwJ7ZMW7HwP2SwtZKprFu wWQEq1j+mgsH+vAYHEQu0Nn7oOsZGTKl19KK4pGY82LaQ2mb0UkAZODm3q9foGtWDK6mEb RHm+GXtFsA7Hjf7WRXX8lUZCaKC0ArCqlr1z6f8uTtXd321O7OvGarSMU6/iMYImtU7Xnw 3yuHPIOuX4WxMt9K5MPJud1OXiLPMbAOvFSiHToZe3vnqcsBGtr/T4guxSXBDw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by royger: URL: https://cgit.FreeBSD.org/src/commit/?id=e99c0c8b79b030e6c63e4f7149154d926a360664 commit e99c0c8b79b030e6c63e4f7149154d926a360664 Author: Dan Carpenter AuthorDate: 2019-04-04 15:12:17 +0000 Commit: Roger Pau Monné CommitDate: 2022-05-06 07:31:32 +0000 xen: Prevent buffer overflow in privcmd ioctl The "call" variable comes from the user in privcmd_ioctl_hypercall(). It's an offset into the hypercall_page[] which has (PAGE_SIZE / 32) elements. We need to put an upper bound on it to prevent an out of bounds access. Signed-off-by: Dan Carpenter Reviewed-by: Boris Ostrovsky Signed-off-by: Juergen Gross Obtained from: Linux Linux commit: 42d8644bd77dd2d747e004e367cb0c895a606f39 Fixes: bf7313e3b79 ("xen: implement the privcmd user-space device") Submitted by: Elliott Mitchell Reviewed by: royger --- sys/amd64/include/xen/hypercall.h | 3 +++ sys/i386/include/xen/hypercall.h | 3 +++ 2 files changed, 6 insertions(+) diff --git a/sys/amd64/include/xen/hypercall.h b/sys/amd64/include/xen/hypercall.h index 6d00d4a6ebd8..60da390ef4c6 100644 --- a/sys/amd64/include/xen/hypercall.h +++ b/sys/amd64/include/xen/hypercall.h @@ -145,6 +145,9 @@ privcmd_hypercall(long op, long a1, long a2, long a3, long a4, long a5) register long __arg5 __asm__("r8") = (long)(a5); long __call = (long)&hypercall_page + (op * 32); + if (op >= PAGE_SIZE / 32) + return -EINVAL; + __asm__ volatile ( "call *%[call]" : "=a" (__res), "=D" (__ign1), "=S" (__ign2), diff --git a/sys/i386/include/xen/hypercall.h b/sys/i386/include/xen/hypercall.h index 4002aac58d84..f1757e8becaf 100644 --- a/sys/i386/include/xen/hypercall.h +++ b/sys/i386/include/xen/hypercall.h @@ -122,6 +122,9 @@ privcmd_hypercall(long op, long a1, long a2, long a3, long a4, long a5) { long __res, __ign1, __ign2, __ign3, __ign4, __ign5, __call; + if (op >= PAGE_SIZE / 32) + return -EINVAL; + __call = (long)&hypercall_page + (op * 32); __asm__ volatile ( "call *%[call]"