xen/26132-tmem-save-NULL-check.patch

# HG changeset patch
# User Matthew Daley <mattjd@gmail.com>
# Date 1352709297 -3600
# Node ID 286ef4ced2164f4e9bf52fd0c52248182e69a6e6
# Parent  62885b3c34c84354ead017703a86f0465cb58cf7
tmem: Prevent NULL dereference on error case

If the client / pool IDs given to tmemc_save_get_next_page are invalid,
the calculation of pagesize will dereference NULL.

Fix this by moving the calculation below the appropriate NULL check.

Signed-off-by: Matthew Daley <mattjd@gmail.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/common/tmem.c
+++ b/xen/common/tmem.c
@@ -2446,10 +2446,12 @@ static NOINLINE int tmemc_save_get_next_
     OID oid;
     int ret = 0;
     struct tmem_handle h;
-    unsigned int pagesize = 1 << (pool->pageshift+12);
+    unsigned int pagesize;
 
     if ( pool == NULL || is_ephemeral(pool) )
         return -1;
+
+    pagesize = 1 << (pool->pageshift + 12);
     if ( bufsize < pagesize + sizeof(struct tmem_handle) )
         return -ENOMEM;
- NetWare will not boot or install on Xen 4.2 reverse-24757-use-grant-references.patch - fate#313222 - xenstore-chmod should support 256 permissions 26189-xenstore-chmod.patch - bnc#789945 - VUL-0: CVE-2012-5510: xen: Grant table version switch list corruption vulnerability (XSA-26) CVE-2012-5510-xsa26.patch - bnc#789944 - VUL-0: CVE-2012-5511: xen: Several HVM operations do not validate the range of their inputs (XSA-27) CVE-2012-5511-xsa27.patch - bnc#789951 - VUL-0: CVE-2012-5513: xen: XENMEM_exchange may overwrite hypervisor memory (XSA-29) CVE-2012-5513-xsa29.patch - bnc#789948 - VUL-0: CVE-2012-5514: xen: Missing unlock in guest_physmap_mark_populate_on_demand() (XSA-30) CVE-2012-5514-xsa30.patch - bnc#789950 - VUL-0: CVE-2012-5515: xen: Several memory hypercall operations allow invalid extent order values (XSA-31) CVE-2012-5515-xsa31.patch - bnc#789952 - VUL-0: CVE-2012-5525: xen: Several hypercalls do not validate input GFNs (XSA-32) CVE-2012-5525-xsa32.patch - Upstream patches from Jan 26129-ACPI-BGRT-invalidate.patch 26132-tmem-save-NULL-check.patch 26134-x86-shadow-invlpg-check.patch 26139-cpumap-masking.patch 26148-vcpu-timer-overflow.patch (Replaces CVE-2012-4535-xsa20.patch) OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=219 2012-12-07 18:04:08 +00:00			`# HG changeset patch`
			`# User Matthew Daley <mattjd@gmail.com>`
			`# Date 1352709297 -3600`
			`# Node ID 286ef4ced2164f4e9bf52fd0c52248182e69a6e6`
			`# Parent 62885b3c34c84354ead017703a86f0465cb58cf7`
			`tmem: Prevent NULL dereference on error case`

			`If the client / pool IDs given to tmemc_save_get_next_page are invalid,`
			`the calculation of pagesize will dereference NULL.`

			`Fix this by moving the calculation below the appropriate NULL check.`

			`Signed-off-by: Matthew Daley <mattjd@gmail.com>`
			`Committed-by: Jan Beulich <jbeulich@suse.com>`

			`--- a/xen/common/tmem.c`
			`+++ b/xen/common/tmem.c`
			`@@ -2446,10 +2446,12 @@ static NOINLINE int tmemc_save_get_next_`
			`OID oid;`
			`int ret = 0;`
			`struct tmem_handle h;`
			`- unsigned int pagesize = 1 << (pool->pageshift+12);`
			`+ unsigned int pagesize;`

			`if ( pool == NULL \|\| is_ephemeral(pool) )`
			`return -1;`
			`+`
			`+ pagesize = 1 << (pool->pageshift + 12);`
			`if ( bufsize < pagesize + sizeof(struct tmem_handle) )`
			`return -ENOMEM;`