From 262114a440bf7c32fd6d215e243b3eaebdd6d7cd Mon Sep 17 00:00:00 2001 From: Roger Pau Monne Date: Thu, 10 Jul 2025 15:51:40 +0200 Subject: [PATCH 1/3] x86/viridian: avoid NULL pointer dereference in update_reference_tsc() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The function is only called when the MSR has the enabled bit set, but even then the page might not be mapped because the guest provided gfn is not suitable. Prevent a NULL pointer dereference in update_reference_tsc() by checking whether the page is mapped. This is CVE-2025-27466 / part of XSA-472. Fixes: 386b3365221d ('viridian: use viridian_map/unmap_guest_page() for reference tsc page') Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich --- xen/arch/x86/hvm/viridian/time.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/xen/arch/x86/hvm/viridian/time.c b/xen/arch/x86/hvm/viridian/time.c index 137577384f1e..ca6d526f46b7 100644 --- a/xen/arch/x86/hvm/viridian/time.c +++ b/xen/arch/x86/hvm/viridian/time.c @@ -26,6 +26,10 @@ static void update_reference_tsc(const struct domain *d, bool initialize) HV_REFERENCE_TSC_PAGE *p = rt->ptr; uint32_t seq; + /* Reference TSC page might not be mapped even if the MSR is enabled. */ + if ( !p ) + return; + if ( initialize ) clear_page(p); -- 2.49.0