Message ID | 20191219204202.27849-1-andrew.cooper3@citrix.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | libxc/restore: Fix data auditing in handle_x86_pv_vcpu_blob() | expand |
Andrew Cooper writes ("[PATCH] libxc/restore: Fix data auditing in handle_x86_pv_vcpu_blob()"): > The current logic only works by chance, in that XSAVE records also tend to be > a multiple of 128. Implement the missing logic for XSAVE. Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
diff --git a/tools/libxc/xc_sr_restore_x86_pv.c b/tools/libxc/xc_sr_restore_x86_pv.c index 1a26f2205f..116a004726 100644 --- a/tools/libxc/xc_sr_restore_x86_pv.c +++ b/tools/libxc/xc_sr_restore_x86_pv.c @@ -825,6 +825,15 @@ static int handle_x86_pv_vcpu_blob(struct xc_sr_context *ctx, break; case REC_TYPE_X86_PV_VCPU_XSAVE: + if ( blobsz < 128 ) + { + ERROR("%s record too short: min %zu, got %u", + rec_name, sizeof(*vhdr) + 128, rec->length); + goto out; + } + break; + + case REC_TYPE_X86_PV_VCPU_MSRS: if ( blobsz % sizeof(xen_domctl_vcpu_msr_t) != 0 ) { ERROR("%s record payload size %zu expected to be a multiple of %zu",
The current logic only works by chance, in that XSAVE records also tend to be a multiple of 128. Implement the missing logic for XSAVE. Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> --- CC: Ian Jackson <Ian.Jackson@citrix.com> CC: Wei Liu <wl@xen.org> --- tools/libxc/xc_sr_restore_x86_pv.c | 9 +++++++++ 1 file changed, 9 insertions(+)