CVE-2012-4536
pirq range check DoS vulnerability
domain_pirq_to_emuirq() uses the guest provided pirq value before range checking it, and physdev_unmap_pirq uses domain_pirq_to_emuirq without checking the pirq value either. Invalid pirq values can cause Xen to read out of array bounds, usually resulting in a fatal page fault.
lack of check (range check)
http://xenbits.xen.org/hg/xen-4.1-testing.hg/rev/210f16b6509b
x86/physdev: Range check pirq parameter from guests
Otherwise Xen will read beyond either end of the struct domain.arch.pirq_emuirq array, usually resulting in a fatal page fault.
This vulnerability adds a call to domain_pirq_to_emuirq() which uses the guest provided pirq value before range checking it, and was fixed by c/s 23573:584c2e5e03d9 which changed the behaviour of the domain_pirq_to_emuirq() macro to use radix trees instead of a flat array.
--- a/xen/arch/x86/physdev.c Wed Nov 14 11:33:36 2012 +0000
+++ b/xen/arch/x86/physdev.c Wed Nov 14 11:35:06 2012 +0000
@@ -234,6 +234,10 @@ static int physdev_unmap_pirq(struct phy
if ( ret )
return ret;
+ ret = -EINVAL;
+ if ( unmap->pirq < 0 || unmap->pirq >= d->nr_pirqs )
+ goto free_domain;
+
if ( is_hvm_domain(d) )
{
spin_lock(&d->event_lock);A malicious guest administrator can cause Xen to crash.
DoS