On 29/11/17 14:34, Jann Horn wrote:
> On Wed, Nov 29, 2017 at 3:32 PM, Andrew Cooper
> <andrew.coop...@citrix.com> wrote:
>> On 29/11/17 14:23, Jann Horn wrote:
>>> gnttab_setup_table() has the following code:
>>>
>>> =============================================
>>> static long
>>> gnttab_setup_table(
>>> XEN_GUEST_HANDLE_PARAM(gnttab_setup_table_t) uop, unsigned int count)
>>> {
>>> struct gnttab_setup_table op;
>>> struct domain *d;
>>> struct grant_table *gt;
>>> int i;
>>> xen_pfn_t gmfn;
>>>
>>> [...]
>>>
>>> d = rcu_lock_domain_by_any_id(op.dom);
>>> if ( d == NULL )
>>> {
>>> gdprintk(XENLOG_INFO, "Bad domid %d.\n", op.dom);
>>> op.status = GNTST_bad_domain;
>>> goto out2;
>>> }
>>>
>>> [...]
>>> out2:
>>> rcu_unlock_domain(d);
>>> out1:
>>> if ( unlikely(__copy_field_to_guest(uop, &op, status)) )
>>> return -EFAULT;
>>>
>>> return 0;
>>> }
>>> =============================================
>>> <snip>
>>>
>>> This results in the following crash in a debug build of Xen 4.9.1:
>> Thanks for the report.
>>
>> This was fixed in master by
>> http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=5e436e7a45082ea2cadc176c19e1df46c178448f
>> but it looks like its not been backported to older releases.
> Urgh. I guess I really ought to fuzz master, not releases.
Actually, at this point it would be particularly helpful, as we are just
coming up to the 4.10 release.
The staging branch is slightly ahead of master at the moment (pending
completion of tests), and contains the fixes for the XSAs released
yesterday.
~Andrew
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
