From: Jan Beulich <jbeulich@suse.com>
Date: Wed, 9 Mar 2016 15:51:16 +0000 (+0100)
Subject: x86/alternatives: correct near branch check
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~1572
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=cd29140ef0e65a33d62e7f5ee843077e51913f01;p=xen.git

x86/alternatives: correct near branch check

Make sure the near JMP/CALL check doesn't consume uninitialized
data, not even in a benign way. And relax the length check at once.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
---

diff --git a/xen/arch/x86/alternative.c b/xen/arch/x86/alternative.c
index 0a0ce156e7..26ad2b935f 100644
--- a/xen/arch/x86/alternative.c
+++ b/xen/arch/x86/alternative.c
@@ -178,7 +178,7 @@ static void __init apply_alternatives(struct alt_instr *start, struct alt_instr
         memcpy(insnbuf, replacement, a->replacementlen);
 
         /* 0xe8/0xe9 are relative branches; fix the offset. */
-        if ( (*insnbuf & 0xfe) == 0xe8 && a->replacementlen == 5 )
+        if ( a->replacementlen >= 5 && (*insnbuf & 0xfe) == 0xe8 )
             *(s32 *)(insnbuf + 1) += replacement - instr;
 
         add_nops(insnbuf + a->replacementlen,