From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Fri, 14 Jun 2013 15:39:38 +0000 (+0100)
Subject: libxc: Better range check in xc_dom_alloc_segment
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~6719
X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/%22/%22http:/www.example.com/cgi/%22?a=commitdiff_plain;h=82cb4113b6ace16de192021de20f6cbd991e478f;p=xen.git

libxc: Better range check in xc_dom_alloc_segment

If seg->pfn is too large, the arithmetic in the range check might
overflow, defeating the range check.

This is part of the fix to a security issue, XSA-55.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
---

diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c
index 5f188c1321..3df71714aa 100644
--- a/tools/libxc/xc_dom_core.c
+++ b/tools/libxc/xc_dom_core.c
@@ -511,7 +511,8 @@ int xc_dom_alloc_segment(struct xc_dom_image *dom,
     seg->vstart = start;
     seg->pfn = (seg->vstart - dom->parms.virt_base) / page_size;
 
-    if ( pages > dom->total_pages || /* double test avoids overflow probs */
+    if ( pages > dom->total_pages || /* multiple test avoids overflow probs */
+         seg->pfn > dom->total_pages ||
          pages > dom->total_pages - seg->pfn)
     {
         xc_dom_panic(dom->xch, XC_OUT_OF_MEMORY,