From nobody Sat Jun 13 07:32:14 2026 Received: from mail-qv1-f47.google.com (mail-qv1-f47.google.com [209.85.219.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C080F3FCB3A for ; Wed, 10 Jun 2026 11:41:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781091704; cv=none; b=c3ZP7DQHKTNjIu2/L8dk/aagm7l47uE8qzHwVtVNRvDC3wCWbEwkKvf1CETnrDe1FHr/OITZsls4Xm8DrYtrZL689lFLF82R7e2cTTtEmEs0Y/UEVDS5XZlbzn4JJFJ5/mE9nspljmhK4b4qmgy99J2+Hlr9cT4s7vEJUX9zc78= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781091704; c=relaxed/simple; bh=6UqtL9VgDiUQWUtWxfJTA6xNBs/u1cEkji2GK7iMfCA=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=DWLP6l6piRwSQ27KXVyUNC1r7KcO6ngvA378Yv0ZN3bpTgtQYk4bemx88AGmrrVNCg5mTdL02i4Q/iVOMMCAhZ91ciX2TWXCcQbqL2BFTbYhQNzks6UvjrrciEtmFsv2nsTZZ/SSLX4Jh1xR9of2xuzOtV5b67nvX0aWgFXremA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=XQUPlkfJ; arc=none smtp.client-ip=209.85.219.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="XQUPlkfJ" Received: by mail-qv1-f47.google.com with SMTP id 6a1803df08f44-8ce9df4732cso67151956d6.1 for ; Wed, 10 Jun 2026 04:41:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1781091701; x=1781696501; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=ZpBQlFHxPmh6RO32iI4WOJ4ByDFhk3PQ/XSlBDQpR+c=; b=XQUPlkfJTDosPRhV8aWM2OzeQfE2e6crTO533ssMBHtB5AsTviZdGd3WHNQ/b9zP6+ Uc0yrAw7l6MFi/4Uv6PXDkWVGRmx7qnHmEZNXMuSxyUlUXAoWc140ey85a5FMWf4p14G yORE65Rg0Q3XJ+ks0sM31LXoNF4WtnghOFdUyYW22IP/Uyeq0kmWiSgcF7Sub/Qrxcqo kMap8jhf/HhxfYBNuAA4Y8dr2YKMrwCZAVHj+x7WCU4NaHg2Fsj9upZViDUmMeXrBPym kx4Gq4ammduWV3eNnaY0wYVWLxwF5TzUC9KHa4bHj70A+esfaPARvhJJhbNzJdKGxOYq pn2A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781091701; x=1781696501; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ZpBQlFHxPmh6RO32iI4WOJ4ByDFhk3PQ/XSlBDQpR+c=; b=gEcjn+MYeviAc8LVpU0gxWLFHTGiZsZj/KryXhoMwHSWBEIDe8Wxwfk2jI3qEReYmb pR7RupCfrz9g/KGfDd1A9IDCKzkxsWgPvynepcBLG98AvF7H4KiRu3M8t5D1LcTRd6UP y9CEb/tNEtFPVcTcoi7bkk7P3cLYj1pw7IBKFfg1nE9+CKjgEp/TIUp6a15QkUSgPXrn FZsE2uq/DZNLlyFXdDfMwtZmLfRo7XCMFcvLJ0pDPKwhD1dYMr73YtHz06oEJqVYHn03 aCJUFzwdQIMoaKlZf6TDoOwhiRtT6IOdwwWXicrBIVT9LAstLe91TUvpqBcpT72OhZTO qsqg== X-Forwarded-Encrypted: i=1; AFNElJ8Wslf8bhoHlcT19en8jnpOPMIMCIEuUFq/LTQZ7hMk0DG+/7hPnZmxZfDES21OaW5h9Epx+31ECFsACJk=@vger.kernel.org X-Gm-Message-State: AOJu0YxNhBzd6wDrunWkxbjlg8wUUqRJM/xklAqBBQWGzPQJHUUQveSR zaH8DpruThfv3+qdK9ntQw3vnLbzMEdUqniAeauJdkPfTtBqEnl/AvjK X-Gm-Gg: Acq92OHn3DNcZO5ytT7uLl4iSGuj/iEL2PH/pCZjeC4SRfDcDbZMUwY5aS4L1FSH9mC dQixynRyt2glJOz1oah1F/w14aqHIP6hR+fj/0LHNrOJbKaRmbpQhIyWyQ8UaiqWSYbw8iNULbe Qe4HGF0EyZ+0HGuQ3TeQIt21syvrgmxA3wNJkCzTDxr00hk3tOn0rbNsCxHghd0oeL+SXbagJ7K OPuC7JAAi9OxVffdsVZFLUx9m3tcPzym/egKRShuqwx33vIn7Ipsy1BqUobeZjo+E3fh5aGxs1n csYkIlRwKAQCEuM48LC1J88DqIk0CRliVUrCVoehL8TZZA3JKduGfs+zO2K4WZQ0kNgftQ6Rk2H 6mwdwvK0YjmA1oRTVFyvpOcpH66u/hplHbD2yr6hi9Rgn4tc9qvKGJNxB+mZZj4hGZ9D8kFSQbq G2EK6m46wzYsaQcCU/IRrhvt24abb7GzWvSsrDrMeFiqJAUWwLpQhtxJuapPJuDKVIIoOt8S45Y cwwxaVa+08d7/kdxFxDRsYzAXtQdos= X-Received: by 2002:ad4:4447:0:b0:8cc:ea2c:f2b5 with SMTP id 6a1803df08f44-8cee61359bemr283431546d6.23.1781091700398; Wed, 10 Jun 2026 04:41:40 -0700 (PDT) Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8cecd26b9d5sm253263426d6.44.2026.06.10.04.41.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 Jun 2026 04:41:39 -0700 (PDT) From: Michael Bommarito To: Juergen Gross , Stefano Stabellini , Oleksandr Tyshchenko Cc: xen-devel@lists.xenproject.org, linux-kernel@vger.kernel.org Subject: [PATCH] xen/pvcalls: bound backend response req_id before indexing rsp[] Date: Wed, 10 Jun 2026 07:41:37 -0400 Message-ID: <20260610114137.3749027-1-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" pvcalls_front_event_handler() takes req_id directly from the backend-supplied ring response and uses it to index the fixed-size bedata->rsp[] array for a memcpy() and a store, with no range check. A malicious or buggy backend can set req_id past PVCALLS_NR_RSP_PER_RING and drive an out-of-bounds write past the bedata allocation. req_id was also declared int while the wire field rsp->req_id is u32, so a range check on the signed value is insufficient on its own: a backend req_id of 0xffffffff becomes -1, passes the >=3D PVCALLS_NR_RSP_PER_RING test, and indexes bedata->rsp[-1], an out-of-bounds write to the left of the array. Declare req_id as u32 and add the range check so both ends of the index are covered. The pvcalls frontend currently trusts its backend, so this is not a classic-Xen security issue, but it matters for hardening PV frontends against malicious backends (confidential and disaggregated deployments). Reject responses whose req_id is out of range. Fixes: 235a71c53903 ("xen/pvcalls: implement release command") Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Michael Bommarito --- drivers/xen/pvcalls-front.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/xen/pvcalls-front.c b/drivers/xen/pvcalls-front.c index 50ce4820f7eeb..78bd4e894b32e 100644 --- a/drivers/xen/pvcalls-front.c +++ b/drivers/xen/pvcalls-front.c @@ -168,7 +168,8 @@ static irqreturn_t pvcalls_front_event_handler(int irq,= void *dev_id) struct pvcalls_bedata *bedata; struct xen_pvcalls_response *rsp; uint8_t *src, *dst; - int req_id =3D 0, more =3D 0, done =3D 0; + u32 req_id =3D 0; + int more =3D 0, done =3D 0; =20 if (dev =3D=3D NULL) return IRQ_HANDLED; @@ -185,6 +186,12 @@ static irqreturn_t pvcalls_front_event_handler(int irq= , void *dev_id) rsp =3D RING_GET_RESPONSE(&bedata->ring, bedata->ring.rsp_cons); =20 req_id =3D rsp->req_id; + if (req_id >=3D PVCALLS_NR_RSP_PER_RING) { + /* Malicious or buggy backend: req_id out of range. */ + bedata->ring.rsp_cons++; + done =3D 1; + continue; + } if (rsp->cmd =3D=3D PVCALLS_POLL) { struct sock_mapping *map =3D (struct sock_mapping *)(uintptr_t) rsp->u.poll.id; --=20 2.53.0