xen/25927-x86-domctl-ioport-mapping-range.patch

# HG changeset patch
# User Jan Beulich <jbeulich@suse.com>
# Date 1348039675 -7200
# Node ID 3e3959413b2fbef584993beb434285d0691d5c67
# Parent  4a0438fe1e6afe01e46023bcb2c828c5aaeefb1d
x86: properly check XEN_DOMCTL_ioport_mapping arguments for invalid range

In particular, the case of "np" being a very large value wasn't handled
correctly. The range start checks also were off by one (except that in
practice, when "np" is properly range checked, this would still have
been caught by the range end checks).

Also, is a GFN wrap in XEN_DOMCTL_memory_mapping really okay?

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>

--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -888,7 +888,7 @@ long arch_do_domctl(
         int found = 0;
 
         ret = -EINVAL;
-        if ( (np == 0) || (fgp > MAX_IOPORTS) || (fmp > MAX_IOPORTS) ||
+        if ( ((fgp | fmp | (np - 1)) >= MAX_IOPORTS) ||
             ((fgp + np) > MAX_IOPORTS) || ((fmp + np) > MAX_IOPORTS) )
         {
             printk(XENLOG_G_ERR
- Upstream patches from Jan 25927-x86-domctl-ioport-mapping-range.patch 25929-tmem-restore-pool-version.patch 25931-x86-domctl-iomem-mapping-checks.patch 25940-x86-S3-flush-cache.patch 25952-x86-MMIO-remap-permissions.patch 25961-x86-HPET-interrupts.patch 25962-x86-assign-irq-vector-old.patch 25965-x86-ucode-Intel-resume.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=205 2012-10-03 00:08:01 +02:00			`# HG changeset patch`
			`# User Jan Beulich <jbeulich@suse.com>`
			`# Date 1348039675 -7200`
			`# Node ID 3e3959413b2fbef584993beb434285d0691d5c67`
			`# Parent 4a0438fe1e6afe01e46023bcb2c828c5aaeefb1d`
			`x86: properly check XEN_DOMCTL_ioport_mapping arguments for invalid range`

			`In particular, the case of "np" being a very large value wasn't handled`
			`correctly. The range start checks also were off by one (except that in`
			`practice, when "np" is properly range checked, this would still have`
			`been caught by the range end checks).`

			`Also, is a GFN wrap in XEN_DOMCTL_memory_mapping really okay?`

			`Signed-off-by: Jan Beulich <jbeulich@suse.com>`
			`Acked-by: Keir Fraser <keir@xen.org>`

			`--- a/xen/arch/x86/domctl.c`
			`+++ b/xen/arch/x86/domctl.c`
			`@@ -888,7 +888,7 @@ long arch_do_domctl(`
			`int found = 0;`

			`ret = -EINVAL;`
			`- if ( (np == 0) \|\| (fgp > MAX_IOPORTS) \|\| (fmp > MAX_IOPORTS) \|\|`
			`+ if ( ((fgp \| fmp \| (np - 1)) >= MAX_IOPORTS) \|\|`
			`((fgp + np) > MAX_IOPORTS) \|\| ((fmp + np) > MAX_IOPORTS) )`
			`{`
			`printk(XENLOG_G_ERR`