From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ian Campbell <ian.campbell@citrix.com>
Subject: [PATCH 2/4] arm: add bounds check on hypercall array
Date: Wed, 25 Jul 2012 14:43:59 +0000
Message-ID: <1343227442-2781-2-git-send-email-ian.campbell@citrix.com>
References: <1343224660.18971.97.camel@zakaz.uk.xensource.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <1343224660.18971.97.camel@zakaz.uk.xensource.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: xen-devel@lists.xen.org
Cc: Stefano Stabellini <stefano.stabellini@citrix.com>, Tim Deegan <tim@xen.org>, Ian Campbell <ian.campbell@citrix.com>
List-Id: xen-devel@lists.xenproject.org

Otherwise a guest can cause us to run off the end of the array.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
---
 xen/arch/arm/traps.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c
index f2c25b5..6201d38 100644
--- a/xen/arch/arm/traps.c
+++ b/xen/arch/arm/traps.c
@@ -479,6 +479,12 @@ static void do_trap_hypercall(struct cpu_user_regs *regs, unsigned long iss)
         return;
     }
 
+    if ( regs->r12 > ARRAY_SIZE(arm_hypercall_table) )
+    {
+        regs->r0 = -ENOSYS;
+        return;
+    }
+
     call = arm_hypercall_table[regs->r12].fn;
     if ( call == NULL )
     {
-- 
1.7.9.1