08af757235
25927-x86-domctl-ioport-mapping-range.patch 25929-tmem-restore-pool-version.patch 25931-x86-domctl-iomem-mapping-checks.patch 25940-x86-S3-flush-cache.patch 25952-x86-MMIO-remap-permissions.patch 25961-x86-HPET-interrupts.patch 25962-x86-assign-irq-vector-old.patch 25965-x86-ucode-Intel-resume.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=205
29 lines
1.0 KiB
Diff
29 lines
1.0 KiB
Diff
# HG changeset patch
|
|
# User Jan Beulich <jbeulich@suse.com>
|
|
# Date 1348039675 -7200
|
|
# Node ID 3e3959413b2fbef584993beb434285d0691d5c67
|
|
# Parent 4a0438fe1e6afe01e46023bcb2c828c5aaeefb1d
|
|
x86: properly check XEN_DOMCTL_ioport_mapping arguments for invalid range
|
|
|
|
In particular, the case of "np" being a very large value wasn't handled
|
|
correctly. The range start checks also were off by one (except that in
|
|
practice, when "np" is properly range checked, this would still have
|
|
been caught by the range end checks).
|
|
|
|
Also, is a GFN wrap in XEN_DOMCTL_memory_mapping really okay?
|
|
|
|
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
|
Acked-by: Keir Fraser <keir@xen.org>
|
|
|
|
--- a/xen/arch/x86/domctl.c
|
|
+++ b/xen/arch/x86/domctl.c
|
|
@@ -888,7 +888,7 @@ long arch_do_domctl(
|
|
int found = 0;
|
|
|
|
ret = -EINVAL;
|
|
- if ( (np == 0) || (fgp > MAX_IOPORTS) || (fmp > MAX_IOPORTS) ||
|
|
+ if ( ((fgp | fmp | (np - 1)) >= MAX_IOPORTS) ||
|
|
((fgp + np) > MAX_IOPORTS) || ((fmp + np) > MAX_IOPORTS) )
|
|
{
|
|
printk(XENLOG_G_ERR
|