From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Thu, 11 Jun 2015 12:44:47 +0000 (+0200)
Subject: x86/traps: loop in the correct direction in compat_iret()
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~3107
X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/cgi/%22https:/%22bookmarks:///%22http:/www.example.com/cgi/%22https:/%22bookmarks:/?a=commitdiff_plain;h=1f0721377952fc038b48f175d7061ec701359aac;p=xen.git

x86/traps: loop in the correct direction in compat_iret()

This is CVE-2015-4164 / XSA-136.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---

diff --git a/xen/arch/x86/x86_64/compat/traps.c b/xen/arch/x86/x86_64/compat/traps.c
index 4b6b9001cd..2dae0c7d8e 100644
--- a/xen/arch/x86/x86_64/compat/traps.c
+++ b/xen/arch/x86/x86_64/compat/traps.c
@@ -119,7 +119,7 @@ unsigned int compat_iret(void)
         }
         else if ( ksp > regs->_esp )
         {
-            for (i = 9; i > 0; ++i)
+            for ( i = 9; i > 0; --i )
             {
                 rc |= __get_user(x, (u32 *)regs->rsp + i);
                 rc |= __put_user(x, (u32 *)(unsigned long)ksp + i);