xen/538dcada-x86-HVM-eliminate-vulnerabilities-from-hvm_inject_msi.patch

References: bnc#878841 CVE-2014-3967 CVE-2014-3968 XSA-96

# Commit 6f4cc0ac41625a054861b417ea1fc3ab88e2e40a
# Date 2014-06-03 15:17:14 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/HVM: eliminate vulnerabilities from hvm_inject_msi()

- pirq_info() returns NULL for a non-allocated pIRQ, and hence we
  mustn't unconditionally de-reference it, and we need to invoke it
  another time after having called map_domain_emuirq_pirq()
- don't use printk(), namely without XENLOG_GUEST, for error reporting

This is XSA-96.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/arch/x86/hvm/irq.c
+++ b/xen/arch/x86/hvm/irq.c
@@ -289,20 +289,18 @@ void hvm_inject_msi(struct domain *d, ui
             struct pirq *info = pirq_info(d, pirq);
 
             /* if it is the first time, allocate the pirq */
-            if (info->arch.hvm.emuirq == IRQ_UNBOUND)
+            if ( !info || info->arch.hvm.emuirq == IRQ_UNBOUND )
             {
                 spin_lock(&d->event_lock);
                 map_domain_emuirq_pirq(d, pirq, IRQ_MSI_EMU);
                 spin_unlock(&d->event_lock);
+                info = pirq_info(d, pirq);
+                if ( !info )
+                    return;
             } else if (info->arch.hvm.emuirq != IRQ_MSI_EMU)
-            {
-                printk("%s: pirq %d does not correspond to an emulated MSI\n", __func__, pirq);
                 return;
-            }
             send_guest_pirq(d, info);
             return;
-        } else {
-            printk("%s: error getting pirq from MSI: pirq = %d\n", __func__, pirq);
         }
     }