queue-3.18/xen-prevent-buffer-overflow-in-privcmd-ioctl.patch

   1 From 42d8644bd77dd2d747e004e367cb0c895a606f39 Mon Sep 17 00:00:00 2001
   2 From: Dan Carpenter <dan.carpenter@oracle.com>
   3 Date: Thu, 4 Apr 2019 18:12:17 +0300
   4 Subject: xen: Prevent buffer overflow in privcmd ioctl
   5
   6 From: Dan Carpenter <dan.carpenter@oracle.com>
   7
   8 commit 42d8644bd77dd2d747e004e367cb0c895a606f39 upstream.
   9
  10 The "call" variable comes from the user in privcmd_ioctl_hypercall().
  11 It's an offset into the hypercall_page[] which has (PAGE_SIZE / 32)
  12 elements.  We need to put an upper bound on it to prevent an out of
  13 bounds access.
  14
  15 Cc: stable@vger.kernel.org
  16 Fixes: 1246ae0bb992 ("xen: add variable hypercall caller")
  17 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
  18 Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
  19 Signed-off-by: Juergen Gross <jgross@suse.com>
  20 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  21
  22 ---
  23  arch/x86/include/asm/xen/hypercall.h |    3 +++
  24  1 file changed, 3 insertions(+)
  25
  26 --- a/arch/x86/include/asm/xen/hypercall.h
  27 +++ b/arch/x86/include/asm/xen/hypercall.h
  28 @@ -213,6 +213,9 @@ privcmd_call(unsigned call,
  29         __HYPERCALL_DECLS;
  30         __HYPERCALL_5ARG(a1, a2, a3, a4, a5);
  31
  32 +       if (call >= PAGE_SIZE / sizeof(hypercall_page[0]))
  33 +               return -EINVAL;
  34 +
  35         asm volatile("call *%[call]"
  36                      : __HYPERCALL_5PARAM
  37                      : [call] "a" (&hypercall_page[call])