x86/pvhvm: properly range-check PHYSDEVOP_map_pirq/MAP_PIRQ_TYPE_GSI

This is being used as a array index, and hence must be validated before use. This is XSA-16 / CVE-2012-3498. Signed-off-by: Jan Beulich <jbeulich@suse.com>
author: Ian Jackson <Ian.Jackson@eu.citrix.com> 2012-09-05 12:29:52 +0100
committer: Ian Jackson <Ian.Jackson@eu.citrix.com> 2012-09-05 12:29:52 +0100
commit: 76ea16276c15d89c3b1d67a58e55fa11cf42a1d7 (patch)
tree: 3a8b840f4c0cd05a59e2c4b5e654a881cd97a1f8
parent: 15638f14e9a25032676960a46b5ba68079d29aaa (diff)
download: xen-76ea16276c15d89c3b1d67a58e55fa11cf42a1d7.tar.gz
xen-76ea16276c15d89c3b1d67a58e55fa11cf42a1d7.tar.bz2
xen-76ea16276c15d89c3b1d67a58e55fa11cf42a1d7.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/xen/arch/x86/physdev.c b/xen/arch/x86/physdev.c
index b0458fdec5..3aa157f706 100644
--- a/xen/arch/x86/physdev.c
+++ b/xen/arch/x86/physdev.c
@@ -42,11 +42,18 @@ static int physdev_hvm_map_pirq(
         struct hvm_girq_dpci_mapping *girq;
         uint32_t machine_gsi = 0;
 
+        if ( *index < 0 || *index >= NR_HVM_IRQS )
+        {
+            ret = -EINVAL;
+            break;
+        }
+
         /* find the machine gsi corresponding to the
          * emulated gsi */
         hvm_irq_dpci = domain_get_irq_dpci(d);
         if ( hvm_irq_dpci )
         {
+            BUILD_BUG_ON(ARRAY_SIZE(hvm_irq_dpci->girq) < NR_HVM_IRQS);
             list_for_each_entry ( girq,
                                   &hvm_irq_dpci->girq[*index],
                                   list )
author	Ian Jackson <Ian.Jackson@eu.citrix.com>	2012-09-05 12:29:52 +0100
committer	Ian Jackson <Ian.Jackson@eu.citrix.com>	2012-09-05 12:29:52 +0100
commit	76ea16276c15d89c3b1d67a58e55fa11cf42a1d7 (patch)
tree	3a8b840f4c0cd05a59e2c4b5e654a881cd97a1f8
parent	15638f14e9a25032676960a46b5ba68079d29aaa (diff)
download	xen-76ea16276c15d89c3b1d67a58e55fa11cf42a1d7.tar.gz xen-76ea16276c15d89c3b1d67a58e55fa11cf42a1d7.tar.bz2 xen-76ea16276c15d89c3b1d67a58e55fa11cf42a1d7.zip