From: Jan Beulich <jbeulich@suse.com>
Date: Tue, 24 Nov 2020 13:11:47 +0000 (+0100)
Subject: memory: fix off-by-one in XSA-346 change
X-Git-Tag: archive/raspbian/4.14.0+88-g1d1d1f5391-2+rpi1^2~86^2~7
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=0057b1f8fa79abe8272690341db54b064c8f2b7f;p=xen.git

memory: fix off-by-one in XSA-346 change

The comparison against ARRAY_SIZE() needs to be >= in order to avoid
overrunning the pages[] array.

This is XSA-355.

Fixes: 5777a3742d88 ("IOMMU: hold page ref until after deferred TLB flush")
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Julien Grall <jgrall@amazon.com>
master commit: 9b156bcc3ffcc7949edd4460b718a241e87ae302
master date: 2020-11-24 14:01:31 +0100
---

diff --git a/xen/common/memory.c b/xen/common/memory.c
index 7075e233aa..5c5075ae41 100644
--- a/xen/common/memory.c
+++ b/xen/common/memory.c
@@ -854,7 +854,7 @@ int xenmem_add_to_physmap(struct domain *d, struct xen_add_to_physmap *xatp,
             ++extra.ppage;
 
         /* Check for continuation if it's not the last iteration. */
-        if ( (++done > ARRAY_SIZE(pages) && extra.ppage) ||
+        if ( (++done >= ARRAY_SIZE(pages) && extra.ppage) ||
              (xatp->size > done && hypercall_preempt_check()) )
         {
             rc = start + done;