[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
i386/xen: prevent guest from binding loopback event channel to itself
|
From: |
David Woodhouse |
|
Subject: |
i386/xen: prevent guest from binding loopback event channel to itself |
|
Date: |
Tue, 25 Jul 2023 11:05:02 +0100 |
|
User-agent: |
Evolution 3.44.4-0ubuntu1 |
From: David Woodhouse <dwmw@amazon.co.uk>
Fuzzing showed that a guest could bind an interdomain port to itself, by
guessing the next port to be allocated and putting that as the 'remote'
port number. By chance, that works because the newly-allocated port has
type EVTCHNSTAT_unbound. It shouldn't.
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
---
hw/i386/kvm/xen_evtchn.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/hw/i386/kvm/xen_evtchn.c b/hw/i386/kvm/xen_evtchn.c
index 0e9c108614..70b4b8a6ef 100644
--- a/hw/i386/kvm/xen_evtchn.c
+++ b/hw/i386/kvm/xen_evtchn.c
@@ -1408,8 +1408,15 @@ int xen_evtchn_bind_interdomain_op(struct
evtchn_bind_interdomain *interdomain)
XenEvtchnPort *rp = &s->port_table[interdomain->remote_port];
XenEvtchnPort *lp = &s->port_table[interdomain->local_port];
- if (rp->type == EVTCHNSTAT_unbound && rp->type_val == 0) {
- /* It's a match! */
+ /*
+ * The 'remote' port for loopback must be an unbound port allocated for
+ * communication with the local domain (as indicated by rp->type_val
+ * being zero, not PORT_INFO_TYPEVAL_REMOTE_QEMU), and must *not* be
+ * the port that was just allocated for the local end.
+ */
+ if (interdomain->local_port != interdomain->remote_port &&
+ rp->type == EVTCHNSTAT_unbound && rp->type_val == 0) {
+
rp->type = EVTCHNSTAT_interdomain;
rp->type_val = interdomain->local_port;
--
2.34.1
smime.p7s
Description: S/MIME cryptographic signature
- i386/xen: prevent guest from binding loopback event channel to itself,
David Woodhouse <=