# HG changeset patch
# User Ian Jackson <Ian.Jackson@eu.citrix.com>
# Date 1346844497 -3600
# Node ID 6779ddca8593b766ccabcfec294ba10f17e68484
# Parent bcc3402927311c64cc04e59d3680680b09459da6
xen: handle out-of-pirq condition correctly in PHYSDEVOP_get_free_pirq
This is XSA-13 / CVE-2012-3495
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Jan Beulich <JBeulich@suse.com>
diff -r bcc340292731 -r 6779ddca8593 xen/arch/x86/physdev.c
--- a/xen/arch/x86/physdev.c Wed Sep 05 12:27:54 2012 +0100
+++ b/xen/arch/x86/physdev.c Wed Sep 05 12:28:17 2012 +0100
@@ -587,11 +587,16 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
break;
spin_lock(&d->event_lock);
- out.pirq = get_free_pirq(d, out.type, 0);
- d->arch.pirq_irq[out.pirq] = PIRQ_ALLOCATED;
+ ret = get_free_pirq(d, out.type, 0);
+ if ( ret >= 0 )
+ d->arch.pirq_irq[ret] = PIRQ_ALLOCATED;
spin_unlock(&d->event_lock);
- ret = copy_to_guest(arg, &out, 1) ? -EFAULT : 0;
+ if ( ret >= 0 )
+ {
+ out.pirq = ret;
+ ret = copy_to_guest(arg, &out, 1) ? -EFAULT : 0;
+ }
rcu_unlock_domain(d);
break;