From mboxrd@z Thu Jan  1 00:00:00 1970
From: Grzegorz Milos <gm281@cam.ac.uk>
Subject: [PATCH] Out of bound check in bind_virq (trivial)
Date: Thu, 06 Oct 2005 19:16:29 +0100
Message-ID: <434569FD.5040007@cam.ac.uk>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------070108040400040209040205"
Return-path: <xen-devel-bounces@lists.xensource.com>
List-Unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: xen-devel <xen-devel@lists.xensource.com>, Keir Fraser <Keir.Fraser@cl.cam.ac.uk>
List-Id: xen-devel@lists.xenproject.org

This is a multi-part message in MIME format.
--------------070108040400040209040205
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Here is a trivial patch that adds a domain->vcpu array out of bound 
check (without it I managed to take whole Xen down by trying to run a 
buggy domain).

Cheers
Gregor

--------------070108040400040209040205
Content-Type: text/x-patch;
 name="vcpu_bounds.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="vcpu_bounds.patch"

# HG changeset patch
# User gmilos@localhost.localdomain
# Node ID 0c6432737d58f7276a3f60322123f3d967b23f91
# Parent  76a7a7aa27e40022fbfeacdd8d6ed9395e875894
Added missing array out of bound check for d->vcpu.
Signed-off-by: Grzegorz Milos <gm281@cam.ac.uk>

diff -r 76a7a7aa27e4 -r 0c6432737d58 xen/common/event_channel.c
--- a/xen/common/event_channel.c	Thu Oct  6 16:02:38 2005
+++ b/xen/common/event_channel.c	Thu Oct  6 18:08:04 2005
@@ -269,7 +269,8 @@
     if ( virq >= ARRAY_SIZE(v->virq_to_evtchn) )
         return -EINVAL;
 
-    if ( (v = d->vcpu[bind->vcpu]) == NULL )
+    if ( bind->vcpu >= ARRAY_SIZE(d->vcpu) || 
+            (v = d->vcpu[bind->vcpu]) == NULL )
         return -ENOENT;
 
     spin_lock(&d->evtchn_lock);

--------------070108040400040209040205
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

--------------070108040400040209040205--