From: Ian Campbell <ian.campbell@citrix.com>
Date: Wed, 25 Jul 2012 16:39:21 +0000 (+0100)
Subject: arm: add bounds check on hypercall array
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~8151
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=b905f2f14b31bc9a060a7aea712056b73b17c036;p=xen.git

arm: add bounds check on hypercall array

Otherwise a guest can cause us to run off the end of the array.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
[ ijc -- switched to >= not > ]
Committed-by: Ian Campbell <ian.campbell@citrix.com>
---

diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c
index f2c25b5821..d2adf4fee1 100644
--- a/xen/arch/arm/traps.c
+++ b/xen/arch/arm/traps.c
@@ -479,6 +479,12 @@ static void do_trap_hypercall(struct cpu_user_regs *regs, unsigned long iss)
         return;
     }
 
+    if ( regs->r12 >= ARRAY_SIZE(arm_hypercall_table) )
+    {
+        regs->r0 = -ENOSYS;
+        return;
+    }
+
     call = arm_hypercall_table[regs->r12].fn;
     if ( call == NULL )
     {