From f79513ddb7b6f5c08dcc36666bda99f7583e83b7 Mon Sep 17 00:00:00 2001
From: "cwc22@centipede.cl.cam.ac.uk" <cwc22@centipede.cl.cam.ac.uk>
Date: Mon, 18 Oct 2004 15:13:54 +0000
Subject: [PATCH] bitkeeper revision 1.1159.113.5
 (4173ddb2BchxLpqw2qoKi9rPhxXElA)

added error checking for copying dirty bitmap in PEEK and CLEAN shadow ops
---
 BitKeeper/etc/logging_ok |  1 +
 xen/arch/x86/shadow.c    | 27 ++++++++++++++++++++-------
 2 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/BitKeeper/etc/logging_ok b/BitKeeper/etc/logging_ok
index 65cb94b67b..c3c6bd3ef7 100644
--- a/BitKeeper/etc/logging_ok
+++ b/BitKeeper/etc/logging_ok
@@ -11,6 +11,7 @@ br260@labyrinth.cl.cam.ac.uk
 br260@laudney.cl.cam.ac.uk
 cl349@freefall.cl.cam.ac.uk
 cl349@labyrinth.cl.cam.ac.uk
+cwc22@centipede.cl.cam.ac.uk
 djm@kirby.fc.hp.com
 gm281@boulderdash.cl.cam.ac.uk
 gm281@tetrapod.cl.cam.ac.uk
diff --git a/xen/arch/x86/shadow.c b/xen/arch/x86/shadow.c
index 545eff74cb..4c0512ade8 100644
--- a/xen/arch/x86/shadow.c
+++ b/xen/arch/x86/shadow.c
@@ -295,11 +295,20 @@ static int shadow_mode_table_op(
             int bytes = ((((d->max_pages - i) > chunk) ?
                           chunk : (d->max_pages - i)) + 7) / 8;
      
-            copy_to_user(
-                sc->dirty_bitmap + (i/(8*sizeof(unsigned long))),
-                m->shadow_dirty_bitmap +(i/(8*sizeof(unsigned long))),
-                bytes);
-     
+            if (copy_to_user(
+                    sc->dirty_bitmap + (i/(8*sizeof(unsigned long))),
+                    m->shadow_dirty_bitmap +(i/(8*sizeof(unsigned long))),
+                    bytes))
+            {
+                // copy_to_user can fail when copying to guest app memory.
+                // app should zero buffer after mallocing, and pin it
+                rc = -EINVAL;
+                memset(
+                    m->shadow_dirty_bitmap + (i/(8*sizeof(unsigned long))),
+                    0, (d->max_pages/8) - (i/(8*sizeof(unsigned long))));
+                break;
+            }
+
             memset(
                 m->shadow_dirty_bitmap + (i/(8*sizeof(unsigned long))),
                 0, bytes);
@@ -322,8 +331,12 @@ static int shadow_mode_table_op(
         }
  
         sc->pages = d->max_pages;
-        copy_to_user(
-            sc->dirty_bitmap, m->shadow_dirty_bitmap, (d->max_pages+7)/8);
+        if (copy_to_user(
+            sc->dirty_bitmap, m->shadow_dirty_bitmap, (d->max_pages+7)/8))
+        {
+            rc = -EINVAL;
+            break;
+        }
 
         break;
 
-- 
2.30.2