From 96edffae33240e42de8dc50607120cadbe83622b Mon Sep 17 00:00:00 2001
From: Alex Williamson <alex.williamson@hp.com>
Date: Mon, 17 Sep 2007 10:59:27 -0600
Subject: [PATCH] [IA64] Check slot for itr.d and itr.i and generate interrupt
 in case of error.

This avoids a buffer overflow in Xen.

Signed-off-by: Tristan Gingold <tgingold@free.fr>
---
 xen/arch/ia64/vmx/vmmu.c     | 12 ++++++++++++
 xen/arch/ia64/vmx/vmx_virt.c | 20 ++++++++++++++++++--
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/xen/arch/ia64/vmx/vmmu.c b/xen/arch/ia64/vmx/vmmu.c
index 8ab640f542..67075921a4 100644
--- a/xen/arch/ia64/vmx/vmmu.c
+++ b/xen/arch/ia64/vmx/vmmu.c
@@ -403,6 +403,12 @@ IA64FAULT vmx_vcpu_itr_i(VCPU *vcpu, u64 slot, u64 pte, u64 itir, u64 ifa)
     }
     thash_purge_entries(vcpu, va, ps);
 #endif
+
+    if (slot >= NITRS) {
+        panic_domain(NULL, "bad itr.i slot (%ld)", slot);
+        return IA64_FAULT;
+    }
+        
     pte &= ~PAGE_FLAGS_RV_MASK;
     vcpu_get_rr(vcpu, va, &rid);
     rid = rid& RR_RID_MASK;
@@ -431,6 +437,12 @@ IA64FAULT vmx_vcpu_itr_d(VCPU *vcpu, u64 slot, u64 pte, u64 itir, u64 ifa)
         return IA64_FAULT;
     }
 #endif   
+
+    if (slot >= NDTRS) {
+        panic_domain(NULL, "bad itr.d slot (%ld)", slot);
+        return IA64_FAULT;
+    }
+
     pte &= ~PAGE_FLAGS_RV_MASK;
 
     /* This is a bad workaround
diff --git a/xen/arch/ia64/vmx/vmx_virt.c b/xen/arch/ia64/vmx/vmx_virt.c
index 181ee40d56..0785992d0b 100644
--- a/xen/arch/ia64/vmx/vmx_virt.c
+++ b/xen/arch/ia64/vmx/vmx_virt.c
@@ -567,6 +567,7 @@ static IA64FAULT vmx_emul_tak(VCPU *vcpu, INST64 inst)
 static IA64FAULT vmx_emul_itr_d(VCPU *vcpu, INST64 inst)
 {
     u64 itir, ifa, pte, slot;
+    ISR isr;
 #ifdef  VMAL_NO_FAULT_CHECK
     IA64_PSR  vpsr;
     vpsr.val=vmx_vcpu_get_psr(vcpu);
@@ -575,7 +576,6 @@ static IA64FAULT vmx_emul_itr_d(VCPU *vcpu, INST64 inst)
         illegal_op(vcpu);
         return IA64_FAULT;
     }
-    ISR isr;
     if ( vpsr.cpl != 0) {
         /* Inject Privileged Operation fault into guest */
         set_privileged_operation_isr (vcpu, 0);
@@ -618,14 +618,22 @@ static IA64FAULT vmx_emul_itr_d(VCPU *vcpu, INST64 inst)
    }
 #endif // VMAL_NO_FAULT_CHECK
 
+    if (slot >= NDTRS) {
+        isr.val = set_isr_ei_ni(vcpu);
+        isr.code = IA64_RESERVED_REG_FAULT;
+        vcpu_set_isr(vcpu, isr.val);
+        rsv_reg_field(vcpu);
+        return IA64_FAULT;
+    }
+
     return (vmx_vcpu_itr_d(vcpu,slot,pte,itir,ifa));
 }
 
 static IA64FAULT vmx_emul_itr_i(VCPU *vcpu, INST64 inst)
 {
     u64 itir, ifa, pte, slot;
-#ifdef  VMAL_NO_FAULT_CHECK
     ISR isr;
+#ifdef  VMAL_NO_FAULT_CHECK
     IA64_PSR  vpsr;
     vpsr.val=vmx_vcpu_get_psr(vcpu);
     if ( vpsr.ic ) {
@@ -675,6 +683,14 @@ static IA64FAULT vmx_emul_itr_i(VCPU *vcpu, INST64 inst)
    }
 #endif // VMAL_NO_FAULT_CHECK
 
+    if (slot >= NITRS) {
+        isr.val = set_isr_ei_ni(vcpu);
+        isr.code = IA64_RESERVED_REG_FAULT;
+        vcpu_set_isr(vcpu, isr.val);
+        rsv_reg_field(vcpu);
+        return IA64_FAULT;
+    }
+ 
    return (vmx_vcpu_itr_i(vcpu,slot,pte,itir,ifa));
 }
 
-- 
2.30.2