rpms / xen

Clone
Source Code
GIT

Files

  1.   804b8835736407d0d0ce36c765fd1551b547647e
  2.   xen-4.1-testing.23350.patch
Blob Blame History Raw 

# HG changeset patch
# User Ian Jackson <Ian.Jackson@eu.citrix.com>
# Date 1346844497 -3600
# Node ID 6779ddca8593b766ccabcfec294ba10f17e68484
# Parent  bcc3402927311c64cc04e59d3680680b09459da6
xen: handle out-of-pirq condition correctly in PHYSDEVOP_get_free_pirq

This is XSA-13 / CVE-2012-3495

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Jan Beulich <JBeulich@suse.com>

diff -r bcc340292731 -r 6779ddca8593 xen/arch/x86/physdev.c
--- a/xen/arch/x86/physdev.c	Wed Sep 05 12:27:54 2012 +0100
+++ b/xen/arch/x86/physdev.c	Wed Sep 05 12:28:17 2012 +0100
@@ -587,11 +587,16 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
             break;
 
         spin_lock(&d->event_lock);
-        out.pirq = get_free_pirq(d, out.type, 0);
-        d->arch.pirq_irq[out.pirq] = PIRQ_ALLOCATED;
+        ret = get_free_pirq(d, out.type, 0);
+        if ( ret >= 0 )
+            d->arch.pirq_irq[ret] = PIRQ_ALLOCATED;
         spin_unlock(&d->event_lock);
 
-        ret = copy_to_guest(arg, &out, 1) ? -EFAULT : 0;
+        if ( ret >= 0 )
+        {
+            out.pirq = ret;
+            ret = copy_to_guest(arg, &out, 1) ? -EFAULT : 0;
+        }
 
         rcu_unlock_domain(d);
         break;
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.