From: Ian Campbell <ian.campbell@citrix.com>
Date: Tue, 11 Sep 2012 12:06:54 +0000 (+0200)
Subject: tmem: check the pool_id is valid when destroying a tmem pool
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~7952
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=e75ecdea85ff23d916420ec299753e31c5610f47;p=xen.git

tmem: check the pool_id is valid when destroying a tmem pool

This is part of XSA-15 / CVE-2012-3497.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Jan Beulich <jbeulich@suse.com>
---

diff --git a/xen/common/tmem.c b/xen/common/tmem.c
index 5f27ff019f..835c257e5f 100644
--- a/xen/common/tmem.c
+++ b/xen/common/tmem.c
@@ -1870,6 +1870,8 @@ static NOINLINE int do_tmem_destroy_pool(uint32_t pool_id)
 
     if ( client->pools == NULL )
         return 0;
+    if ( pool_id >= MAX_POOLS_PER_DOMAIN )
+        return 0;
     if ( (pool = client->pools[pool_id]) == NULL )
         return 0;
     client->pools[pool_id] = NULL;