From b4dc2718f8f4002e26c5c0a52208db16f03cf532 Mon Sep 17 00:00:00 2001
From: "kaf24@firebug.cl.cam.ac.uk" <kaf24@firebug.cl.cam.ac.uk>
Date: Mon, 27 Jun 2005 20:17:02 +0000
Subject: [PATCH] bitkeeper revision 1.1760 (42c05ebeLIfrneiw1jaZMwle-z9usw)

Check set_gdt() bounds before copy_from_user.
Signed-off-by: Chris Wright <chrisw@osdl.org>
---
 xen/arch/x86/mm.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index 52b4048909..06e47e5eea 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -2442,6 +2442,10 @@ long do_set_gdt(unsigned long *frame_list, unsigned int entries)
     unsigned long frames[16];
     long ret;
 
+    /* Rechecked in set_gdt, but ensures a sane limit for copy_from_user(). */
+    if ( entries > FIRST_RESERVED_GDT_ENTRY )
+        return -EINVAL;
+    
     if ( copy_from_user(frames, frame_list, nr_pages * sizeof(unsigned long)) )
         return -EFAULT;
 
-- 
2.30.2