CVE-2012-3495
hypercall physdev_get_free_pirq vulnerability
PHYSDEVOP_get_free_pirq does not check that its call to get_free_pirq succeeded, and if it fails will use the error code as an array index.
lack of check (error return value)
http://xenbits.xen.org/hg/xen-4.1-testing.hg/rev/6779ddca8593
xen: handle out-of-pirq condition correctly in PHYSDEVOP_get_free_pirq
--- a/xen/arch/x86/physdev.c Wed Sep 05 12:27:54 2012 +0100
+++ b/xen/arch/x86/physdev.c Wed Sep 05 12:28:17 2012 +0100
@@ -587,11 +587,16 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
break;
spin_lock(&d->event_lock);
- out.pirq = get_free_pirq(d, out.type, 0);
- d->arch.pirq_irq[out.pirq] = PIRQ_ALLOCATED;
+ ret = get_free_pirq(d, out.type, 0);
+ if ( ret >= 0 )
+ d->arch.pirq_irq[ret] = PIRQ_ALLOCATED;
spin_unlock(&d->event_lock);
- ret = copy_to_guest(arg, &out, 1) ? -EFAULT : 0;
+ if ( ret >= 0 )
+ {
+ out.pirq = ret;
+ ret = copy_to_guest(arg, &out, 1) ? -EFAULT : 0;
+ }
rcu_unlock_domain(d);
break;A malicious guest might be able to cause the host to crash, leading to a DoS, depending on the exact memory layout.
DoS