• Ian Campbell's avatar
    xen/xenbus: Reject replies with payload > XENSTORE_PAYLOAD_MAX. · 9e7860ce
    Ian Campbell authored
    Haogang Chen found out that:
    
     There is a potential integer overflow in process_msg() that could result
     in cross-domain attack.
    
     	body = kmalloc(msg->hdr.len + 1, GFP_NOIO | __GFP_HIGH);
    
     When a malicious guest passes 0xffffffff in msg->hdr.len, the subsequent
     call to xb_read() would write to a zero-length buffer.
    
     The other end of this connection is always the xenstore backend daemon
     so there is no guest (malicious or otherwise) which can do this. The
     xenstore daemon is a trusted component in the system.
    
     However this seem like a reasonable robustness improvement so we should
     have it.
    
    And Ian when read the API docs found that:
            The payload length (len field of the header) is limited to 4096
            (XENSTORE_PAYLOAD_MAX) in both directions.  If a client exceeds the
            limit, its xenstored connection will be immediately killed by
            xenstored, which is usually catastrophic from the client's point of
            view.  Clients (particularly domains, which cannot just reconnect)
            should avoid this.
    
    so this patch checks against that instead.
    
    This also avoids a potential integer overflow pointed out by Haogang Chen.
    Signed-off-by: default avatarIan Campbell <ian.campbell@citrix.com>
    Cc: Haogang Chen <haogangchen@gmail.com>
    CC: stable@kernel.org
    Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    9e7860ce
xs_wire.h 2.17 KB