From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Jan Beulich" Subject: [PATCH] x86: secure ioapic_guest_write() against FREE_TO_ASSIGN irq values Date: Wed, 19 Nov 2008 16:05:35 +0000 Message-ID: <4924475F.76E4.0078.0@novell.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Return-path: Content-Disposition: inline List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: xen-devel@lists.xensource.com List-Id: xen-devel@lists.xenproject.org Signed-off-by: Jan Beulich Index: 2008-10-27/xen/arch/x86/io_apic.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- 2008-10-27.orig/xen/arch/x86/io_apic.c 2008-11-19 15:41:31.0000000= 00 +0100 +++ 2008-10-27/xen/arch/x86/io_apic.c 2008-11-19 16:56:51.000000000 = +0100 @@ -2186,7 +2186,7 @@ int ioapic_guest_write(unsigned long phy if ( new_rte.vector >=3D FIRST_DYNAMIC_VECTOR ) new_irq =3D vector_irq[new_rte.vector]; =20 - if ( (old_irq !=3D new_irq) && (old_irq !=3D -1) && IO_APIC_IRQ(old_ir= q) ) + if ( (old_irq !=3D new_irq) && (old_irq >=3D 0) && IO_APIC_IRQ(old_irq= ) ) { if ( irq_desc[IO_APIC_VECTOR(old_irq)].action ) { @@ -2198,7 +2198,7 @@ int ioapic_guest_write(unsigned long phy remove_pin_at_irq(old_irq, apic, pin); } =20 - if ( (new_irq !=3D -1) && IO_APIC_IRQ(new_irq) ) + if ( (new_irq >=3D 0) && IO_APIC_IRQ(new_irq) ) { if ( irq_desc[IO_APIC_VECTOR(new_irq)].action ) {