diff options
author | Ian Jackson <ian.jackson@eu.citrix.com> | 2013-06-14 16:39:38 +0100 |
---|---|---|
committer | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2013-06-14 16:39:38 +0100 |
commit | 82cb4113b6ace16de192021de20f6cbd991e478f (patch) | |
tree | a1e66bdc9463e4517fb3df25bdd5dfb23760d8a3 /tools | |
parent | 966070058d02cce9684e30073b61d6465e4b351c (diff) | |
download | xen-82cb4113b6ace16de192021de20f6cbd991e478f.tar.gz xen-82cb4113b6ace16de192021de20f6cbd991e478f.tar.bz2 xen-82cb4113b6ace16de192021de20f6cbd991e478f.zip |
libxc: Better range check in xc_dom_alloc_segment
If seg->pfn is too large, the arithmetic in the range check might
overflow, defeating the range check.
This is part of the fix to a security issue, XSA-55.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Diffstat (limited to 'tools')
-rw-r--r-- | tools/libxc/xc_dom_core.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c index 5f188c1321..3df71714aa 100644 --- a/tools/libxc/xc_dom_core.c +++ b/tools/libxc/xc_dom_core.c @@ -511,7 +511,8 @@ int xc_dom_alloc_segment(struct xc_dom_image *dom, seg->vstart = start; seg->pfn = (seg->vstart - dom->parms.virt_base) / page_size; - if ( pages > dom->total_pages || /* double test avoids overflow probs */ + if ( pages > dom->total_pages || /* multiple test avoids overflow probs */ + seg->pfn > dom->total_pages || pages > dom->total_pages - seg->pfn) { xc_dom_panic(dom->xch, XC_OUT_OF_MEMORY, |