XSA-28

CVE-2012-5512

问题描述

http://xenbits.xen.org/xsa/advisory-28.html

HVMOP_get_mem_access crash / HVMOP_set_mem_access information leak

The HVMOPsetmem_access operation handler uses an input as an array index before range checking it.

lack of check (range check)

Patch描述

http://xenbits.xen.org/xsa/xsa.patch

x86/HVM: range check xenhvmsetmemaccess.hvmmem_access before use

--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -3699,7 +3699,7 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE(void) arg)
             return rc;
 
         rc = -EINVAL;
-        if ( !is_hvm_domain(d) )
+        if ( !is_hvm_domain(d) || a.hvmmem_access >= ARRAY_SIZE(memaccess) )
             goto param_fail5;
 
         p2m = p2m_get_hostp2m(d);
@@ -3719,9 +3719,6 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE(void) arg)
              ((a.first_pfn + a.nr - 1) > domain_get_maximum_gpfn(d)) )
             goto param_fail5;
             
-        if ( a.hvmmem_access >= ARRAY_SIZE(memaccess) )
-            goto param_fail5;
-
         for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ )
         {
             p2m_type_t t;

Consequence

A malicious guest administrator can cause Xen to crash. If the out of array bounds access does not crash, the arbitrary value read will be used if the caller reads back the default access through the HVMOP_get_mem_access operation, thus causing an information leak.

DoS, information leak