CVE-2012-3498
PHYSDEVOP_map_pirq index vulnerability
PHYSDEVOP_map_pirq with MAP_PIRQ_TYPE_GSI does not range check map->index.
lack of check (range check)
http://xenbits.xen.org/hg/xen-4.1-testing.hg/rev/936f63ee4dad
x86/pvhvm: properly range-check PHYSDEVOP_map_pirq/MAP_PIRQ_TYPE_GSI
This is being used as a array index, and hence must be validated before use.
--- a/xen/arch/x86/physdev.c Wed Sep 05 12:29:05 2012 +0100
+++ b/xen/arch/x86/physdev.c Wed Sep 05 12:29:56 2012 +0100
@@ -40,11 +40,18 @@ static int physdev_hvm_map_pirq(
struct hvm_girq_dpci_mapping *girq;
uint32_t machine_gsi = 0;
+ if ( map->index < 0 || map->index >= NR_HVM_IRQS )
+ {
+ ret = -EINVAL;
+ break;
+ }
+
/* find the machine gsi corresponding to the
* emulated gsi */
hvm_irq_dpci = domain_get_irq_dpci(d);
if ( hvm_irq_dpci )
{
+ BUILD_BUG_ON(ARRAY_SIZE(hvm_irq_dpci->girq) < NR_HVM_IRQS);
list_for_each_entry ( girq,
&hvm_irq_dpci->girq[map->index],
list )A malicious HVM guest kernel can crash the host. It might also be able to read hypervisor or guest memory.
DoS, information leak