From: kaf24@firebug.cl.cam.ac.uk <kaf24@firebug.cl.cam.ac.uk>
Date: Fri, 12 May 2006 14:47:25 +0000 (+0100)
Subject: Fix an out-of-bounds memory access in xc_ptrace.c.
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~16047^2~75
X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/success//%22http:/www.example.com/cgi/success/?a=commitdiff_plain;h=6ca3eb330819ef5e86e45171f255700aee5ffac1;p=xen.git

Fix an out-of-bounds memory access in xc_ptrace.c.

Currently, Xen always copies the entire 512 byte extended
FPU state (fxsave) even if only the "regular" FPU state was
requested.

This breaks since the memory buffer allocated in
linux-xen-low.c:regsets_fetch_inferior_registers() is only large
enough to hold the "plain" FPU registers.

Signed-Off-By: Simon Kagstrom <simon.kagstrom@bth.se>
---

diff --git a/tools/libxc/xc_ptrace.c b/tools/libxc/xc_ptrace.c
index 981abe0b7c..d1a6525af3 100644
--- a/tools/libxc/xc_ptrace.c
+++ b/tools/libxc/xc_ptrace.c
@@ -520,6 +520,11 @@ xc_ptrace(
         break;
 
     case PTRACE_GETFPREGS:
+        if (!current_isfile && fetch_regs(xc_handle, cpu, NULL)) 
+                goto out_error;
+        memcpy(data, &ctxt[cpu].fpu_ctxt, sizeof (elf_fpregset_t));
+        break;
+
     case PTRACE_GETFPXREGS:
         if (!current_isfile && fetch_regs(xc_handle, cpu, NULL))
                 goto out_error;