xen: Prevent buffer overflow in privcmd ioctl [Linux 3.16.72]

This Linux kernel change "xen: Prevent buffer overflow in privcmd ioctl" is included in the Linux 3.16.72 release. This change is authored by Dan Carpenter <dan.carpenter [at] oracle.com> on Thu Apr 4 18:12:17 2019 +0300. The commit for this change in Linux stable tree is e3c039e (patch) which is from upstream commit 42d8644. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream 42d8644.

xen: Prevent buffer overflow in privcmd ioctl

commit 42d8644bd77dd2d747e004e367cb0c895a606f39 upstream.

The "call" variable comes from the user in privcmd_ioctl_hypercall().
It's an offset into the hypercall_page[] which has (PAGE_SIZE / 32)
elements.  We need to put an upper bound on it to prevent an out of
bounds access.

Fixes: 1246ae0bb992 ("xen: add variable hypercall caller")
Signed-off-by: Dan Carpenter <[email protected]>
Reviewed-by: Boris Ostrovsky <[email protected]>
Signed-off-by: Juergen Gross <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>

There are 3 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 arch/x86/include/asm/xen/hypercall.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/x86/include/asm/xen/hypercall.h b/arch/x86/include/asm/xen/hypercall.h
index da45f9f..5876b28 100644
--- a/arch/x86/include/asm/xen/hypercall.h
+++ b/arch/x86/include/asm/xen/hypercall.h
@@ -215,6 +215,9 @@
    __HYPERCALL_DECLS;
    __HYPERCALL_5ARG(a1, a2, a3, a4, a5);

+   if (call >= PAGE_SIZE / sizeof(hypercall_page[0]))
+       return -EINVAL;
+
    stac();
    asm volatile(CALL_NOSPEC
             : __HYPERCALL_5PARAM

Leave a Reply

Your email address will not be published. Required fields are marked *