xen/25853-tmem-xsa-15-4.patch

# HG changeset patch
# User Ian Campbell <ian.campbell@citrix.com>
# Date 1347365847 -7200
# Node ID f53c5aadbba9d389f4a7d83f308499e22d1d1eda
# Parent  d189d99ef00c1e197321593d13282e1b57eb4a38
tmem: check for a valid client ("domain") in the save subops

This is part of XSA-15 / CVE-2012-3497.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/common/tmem.c
+++ b/xen/common/tmem.c
@@ -2379,12 +2379,18 @@ static NOINLINE int tmemc_save_subop(int
         rc = MAX_POOLS_PER_DOMAIN;
         break;
     case TMEMC_SAVE_GET_CLIENT_WEIGHT:
+        if ( client == NULL )
+            break;
         rc = client->weight == -1 ? -2 : client->weight;
         break;
     case TMEMC_SAVE_GET_CLIENT_CAP:
+        if ( client == NULL )
+            break;
         rc = client->cap == -1 ? -2 : client->cap;
         break;
     case TMEMC_SAVE_GET_CLIENT_FLAGS:
+        if ( client == NULL )
+            break;
         rc = (client->compress ? TMEM_CLIENT_COMPRESS : 0 ) |
              (client->was_frozen ? TMEM_CLIENT_FROZEN : 0 );
         break;
@@ -2408,6 +2414,8 @@ static NOINLINE int tmemc_save_subop(int
         *uuid = pool->uuid[1];
         rc = 0;
     case TMEMC_SAVE_END:
+        if ( client == NULL )
+            break;
         client->live_migrating = 0;
         if ( !list_empty(&client->persistent_invalidated_list) )
             list_for_each_entry_safe(pgp,pgp2,
- Upstream patches from Jan 25833-32on64-bogus-pt_base-adjust.patch 25835-adjust-rcu-lock-domain.patch 25836-VT-d-S3-MSI-resume.patch 25850-tmem-xsa-15-1.patch 25851-tmem-xsa-15-2.patch 25852-tmem-xsa-15-3.patch 25853-tmem-xsa-15-4.patch 25854-tmem-xsa-15-5.patch 25855-tmem-xsa-15-6.patch 25856-tmem-xsa-15-7.patch 25857-tmem-xsa-15-8.patch 25858-tmem-xsa-15-9.patch 25859-tmem-missing-break.patch 25860-tmem-cleanup.patch 25861-x86-early-fixmap.patch 25862-sercon-non-com.patch 25863-sercon-ehci-dbgp.patch 25864-sercon-unused.patch 25866-sercon-ns16550-pci-irq.patch 25867-sercon-ns16550-parse.patch 25874-x86-EFI-chain-cfg.patch 25909-xenpm-consistent.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=201 2012-09-21 14:45:08 +00:00			`# HG changeset patch`
			`# User Ian Campbell <ian.campbell@citrix.com>`
			`# Date 1347365847 -7200`
			`# Node ID f53c5aadbba9d389f4a7d83f308499e22d1d1eda`
			`# Parent d189d99ef00c1e197321593d13282e1b57eb4a38`
			`tmem: check for a valid client ("domain") in the save subops`

			`This is part of XSA-15 / CVE-2012-3497.`

			`Signed-off-by: Ian Campbell <ian.campbell@citrix.com>`
			`Acked-by: Jan Beulich <jbeulich@suse.com>`
			`Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com>`
			`Committed-by: Jan Beulich <jbeulich@suse.com>`

			`--- a/xen/common/tmem.c`
			`+++ b/xen/common/tmem.c`
			`@@ -2379,12 +2379,18 @@ static NOINLINE int tmemc_save_subop(int`
			`rc = MAX_POOLS_PER_DOMAIN;`
			`break;`
			`case TMEMC_SAVE_GET_CLIENT_WEIGHT:`
			`+ if ( client == NULL )`
			`+ break;`
			`rc = client->weight == -1 ? -2 : client->weight;`
			`break;`
			`case TMEMC_SAVE_GET_CLIENT_CAP:`
			`+ if ( client == NULL )`
			`+ break;`
			`rc = client->cap == -1 ? -2 : client->cap;`
			`break;`
			`case TMEMC_SAVE_GET_CLIENT_FLAGS:`
			`+ if ( client == NULL )`
			`+ break;`
			`rc = (client->compress ? TMEM_CLIENT_COMPRESS : 0 ) \|`
			`(client->was_frozen ? TMEM_CLIENT_FROZEN : 0 );`
			`break;`
			`@@ -2408,6 +2414,8 @@ static NOINLINE int tmemc_save_subop(int`
			`*uuid = pool->uuid[1];`
			`rc = 0;`
			`case TMEMC_SAVE_END:`
			`+ if ( client == NULL )`
			`+ break;`
			`client->live_migrating = 0;`
			`if ( !list_empty(&client->persistent_invalidated_list) )`
			`list_for_each_entry_safe(pgp,pgp2,`