From f2e6577be418bb928d02cf8395fd5e76fcb7ce33 Mon Sep 17 00:00:00 2001 From: "tdeegan@york.uk.xensource.com" Date: Tue, 29 Aug 2006 09:37:30 +0100 Subject: [PATCH] [XEN] Off-by one error in range checks translating gfns to mfns Signed-off-by: Tim Deegan --- xen/arch/x86/mm/shadow/common.c | 2 +- xen/arch/x86/mm/shadow/private.h | 2 +- xen/include/asm-x86/mm.h | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c index 0e36afafb6..9057b35448 100644 --- a/xen/arch/x86/mm/shadow/common.c +++ b/xen/arch/x86/mm/shadow/common.c @@ -1121,7 +1121,7 @@ sh_gfn_to_mfn_foreign(struct domain *d, unsigned long gpfn) #if CONFIG_PAGING_LEVELS > 2 - if ( gpfn > (RO_MPT_VIRT_END - RO_MPT_VIRT_START) / sizeof(l1_pgentry_t) ) + if ( gpfn >= (RO_MPT_VIRT_END-RO_MPT_VIRT_START) / sizeof(l1_pgentry_t) ) /* This pfn is higher than the p2m map can hold */ return _mfn(INVALID_MFN); #endif diff --git a/xen/arch/x86/mm/shadow/private.h b/xen/arch/x86/mm/shadow/private.h index f470a874ba..eeb2d86342 100644 --- a/xen/arch/x86/mm/shadow/private.h +++ b/xen/arch/x86/mm/shadow/private.h @@ -555,7 +555,7 @@ vcpu_gfn_to_mfn_nofault(struct vcpu *v, unsigned long gfn) return _mfn(gfn); #if CONFIG_PAGING_LEVELS > 2 - if ( gfn > (RO_MPT_VIRT_END - RO_MPT_VIRT_START) / sizeof(l1_pgentry_t) ) + if ( gfn >= (RO_MPT_VIRT_END - RO_MPT_VIRT_START) / sizeof(l1_pgentry_t) ) /* This pfn is higher than the p2m map can hold */ return _mfn(INVALID_MFN); #endif diff --git a/xen/include/asm-x86/mm.h b/xen/include/asm-x86/mm.h index 2acdd2f23d..8263199824 100644 --- a/xen/include/asm-x86/mm.h +++ b/xen/include/asm-x86/mm.h @@ -368,7 +368,7 @@ static inline unsigned long get_mfn_from_gpfn(unsigned long pfn) int ret; #if CONFIG_PAGING_LEVELS > 2 - if ( pfn > (RO_MPT_VIRT_END - RO_MPT_VIRT_START) / sizeof (l1_pgentry_t) ) + if ( pfn >= (RO_MPT_VIRT_END - RO_MPT_VIRT_START) / sizeof(l1_pgentry_t) ) /* This pfn is higher than the p2m map can hold */ return INVALID_MFN; #endif -- 2.30.2