On 27/11/17 09:12, Jan Beulich wrote: > As a follow-up to XSA-212 we should have addressed a similar issue here: > The handles being advanced at the top of xenmem_add_to_physmap_batch() > means we allow hypervisor space accesses (in particular, for "errs", > writes) with suitably crafted input arguments. This isn't a security > issue in this case because of the limited width of struct > xen_add_to_physmap_batch's size field: It being 16-bits wide, only the > r/o M2P area can be accessed. Still we can and should do better. > > Signed-off-by: Jan Beulich <[email protected]>
Acked-by: Andrew Cooper <[email protected]> _______________________________________________ Xen-devel mailing list [email protected] https://lists.xenproject.org/mailman/listinfo/xen-devel
