diff options
| author | kaf24@firebug.cl.cam.ac.uk <kaf24@firebug.cl.cam.ac.uk> | 2005-06-27 20:17:02 +0000 |
|---|---|---|
| committer | kaf24@firebug.cl.cam.ac.uk <kaf24@firebug.cl.cam.ac.uk> | 2005-06-27 20:17:02 +0000 |
| commit | b4dc2718f8f4002e26c5c0a52208db16f03cf532 (patch) | |
| tree | d279355f37e899158a6486fd867b9f7c43970458 | |
| parent | 8cc2fa854496cf98dbed0c8771719b91a2a8fec5 (diff) | |
| download | xen-b4dc2718f8f4002e26c5c0a52208db16f03cf532.tar.gz xen-b4dc2718f8f4002e26c5c0a52208db16f03cf532.tar.bz2 xen-b4dc2718f8f4002e26c5c0a52208db16f03cf532.zip | |
bitkeeper revision 1.1760 (42c05ebeLIfrneiw1jaZMwle-z9usw)
Check set_gdt() bounds before copy_from_user.
Signed-off-by: Chris Wright <chrisw@osdl.org>
| -rw-r--r-- | xen/arch/x86/mm.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 52b4048909..06e47e5eea 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -2442,6 +2442,10 @@ long do_set_gdt(unsigned long *frame_list, unsigned int entries) unsigned long frames[16]; long ret; + /* Rechecked in set_gdt, but ensures a sane limit for copy_from_user(). */ + if ( entries > FIRST_RESERVED_GDT_ENTRY ) + return -EINVAL; + if ( copy_from_user(frames, frame_list, nr_pages * sizeof(unsigned long)) ) return -EFAULT; |