From: Jan Beulich <jbeulich@suse.com>
Date: Fri, 5 Apr 2013 07:59:03 +0000 (+0200)
Subject: defer event channel bucket pointer store until after XSM checks
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~7061
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=99b9ab0b3e7f0e7e5786116773cb7b746f3fab87;p=xen.git

defer event channel bucket pointer store until after XSM checks

Otherwise a dangling pointer can be left, which would cause subsequent
memory corruption as soon as the space got re-allocated for some other
purpose.

This is CVE-2013-1920 / XSA-47.

Reported-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>
---

diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c
index a0f293ff2e..0a6684c6d5 100644
--- a/xen/common/event_channel.c
+++ b/xen/common/event_channel.c
@@ -140,7 +140,6 @@ static int get_free_port(struct domain *d)
     chn = xzalloc_array(struct evtchn, EVTCHNS_PER_BUCKET);
     if ( unlikely(chn == NULL) )
         return -ENOMEM;
-    bucket_from_port(d, port) = chn;
 
     for ( i = 0; i < EVTCHNS_PER_BUCKET; i++ )
     {
@@ -153,6 +152,8 @@ static int get_free_port(struct domain *d)
         }
     }
 
+    bucket_from_port(d, port) = chn;
+
     return port;
 }