From bbe9b1dc6cd7b68f27c83974475773002efffb8f Mon Sep 17 00:00:00 2001
From: "kaf24@firebug.cl.cam.ac.uk" <kaf24@firebug.cl.cam.ac.uk>
Date: Thu, 27 Apr 2006 14:13:42 +0100
Subject: [PATCH] Add bounds check to get_mfn_from_gpfn(). From: Jan Beulich
 Signed-off-by: Keir Fraser <keir@xensource.com>

---
 xen/include/asm-x86/mm.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/xen/include/asm-x86/mm.h b/xen/include/asm-x86/mm.h
index 3bb8cc93e0..383dea288a 100644
--- a/xen/include/asm-x86/mm.h
+++ b/xen/include/asm-x86/mm.h
@@ -274,6 +274,8 @@ int check_descriptor(struct desc_struct *d);
  * been used by the read-only MPT map.
  */
 #define phys_to_machine_mapping ((unsigned long *)RO_MPT_VIRT_START)
+#define NR_P2M_TABLE_ENTRIES    ((unsigned long *)RO_MPT_VIRT_END \
+                                 - phys_to_machine_mapping)
 #define INVALID_MFN             (~0UL)
 #define VALID_MFN(_mfn)         (!((_mfn) & (1U<<31)))
 
@@ -282,7 +284,9 @@ static inline unsigned long get_mfn_from_gpfn(unsigned long pfn)
 {
     unsigned long mfn;
 
-    if ( __copy_from_user(&mfn, &phys_to_machine_mapping[pfn], sizeof(mfn)) )
+    if ( unlikely(pfn >= NR_P2M_TABLE_ENTRIES) ||
+         unlikely(__copy_from_user(&mfn, &phys_to_machine_mapping[pfn],
+                                   sizeof(mfn))) )
 	mfn = INVALID_MFN;
 
     return mfn;
-- 
2.30.2