diff options
author | Ian Campbell <ian.campbell@citrix.com> | 2012-07-25 17:39:21 +0100 |
---|---|---|
committer | Ian Campbell <ian.campbell@citrix.com> | 2012-07-25 17:39:21 +0100 |
commit | b905f2f14b31bc9a060a7aea712056b73b17c036 (patch) | |
tree | c1546a088cf251a32b8ba62747af87ae6bbd1956 | |
parent | b75cc14b3435d57eb5d3648a203e137bae4052b2 (diff) | |
download | xen-b905f2f14b31bc9a060a7aea712056b73b17c036.tar.gz xen-b905f2f14b31bc9a060a7aea712056b73b17c036.tar.bz2 xen-b905f2f14b31bc9a060a7aea712056b73b17c036.zip |
arm: add bounds check on hypercall array
Otherwise a guest can cause us to run off the end of the array.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
[ ijc -- switched to >= not > ]
Committed-by: Ian Campbell <ian.campbell@citrix.com>
-rw-r--r-- | xen/arch/arm/traps.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c index f2c25b5821..d2adf4fee1 100644 --- a/xen/arch/arm/traps.c +++ b/xen/arch/arm/traps.c @@ -479,6 +479,12 @@ static void do_trap_hypercall(struct cpu_user_regs *regs, unsigned long iss) return; } + if ( regs->r12 >= ARRAY_SIZE(arm_hypercall_table) ) + { + regs->r0 = -ENOSYS; + return; + } + call = arm_hypercall_table[regs->r12].fn; if ( call == NULL ) { |