7 messages in com.xensource.lists.xen-ia64-develRe: [Xen-ia64-devel] [PATCH][TAKE3] F...
FromSent OnAttachments
Kouya Shimura13 Dec 2007 22:52.patch
tgin...@free.fr14 Dec 2007 05:15 
Alex Williamson14 Dec 2007 10:42 
Jarod Wilson14 Dec 2007 10:55 
Alex Williamson14 Dec 2007 11:32 
Jarod Wilson18 Dec 2007 13:15.patch
Alex Williamson18 Dec 2007 14:33 
Subject:Re: [Xen-ia64-devel] [PATCH][TAKE3] Fix vulnerability of copy_to_user in PAL emulation
From:Jarod Wilson (jwil@redhat.com)
Date:12/14/2007 10:55:10 AM
List:com.xensource.lists.xen-ia64-devel

Alex Williamson wrote:

On Fri, 2007-12-14 at 15:52 +0900, Kouya Shimura wrote:

Hi,

The reputation of my previous patch was not so good, then I rewrote it. An attached patch is temporary fix for xen-3.2.

Anyone know offhand if this vulnerability exists in xen 3.1.x as well? (As in, is this something a certain vendor shipping a xen 3.1.x codebase needs to pull into their own tree ASAP? :)

I think this patch is enough for normal usage. Please see SDM Vol2 11.10.2.1.3 "Making PAL Procedure Calls in Physical or Virtual Mode". If the caller has a responsibility of providing DTR or DTC mapping, xencomm for PAL might be unnecessary.

I confirmed there is no problem in linux, windows 2003, windows 2008 with this patch.

As for PV domain, the same logic can't be used due to only one vTLB. This patch only checks that the buffer never point VMM address, that would avoid the vulnerability.

Thanks for fixing this. Applied. Thanks,

-- Jarod Wilson jwil@redhat.com

_______________________________________________ Xen-ia64-devel mailing list Xen-@lists.xensource.com http://lists.xensource.com/xen-ia64-devel