From 2c24cdcce3269f3286790c63821951a1de93c66a Mon Sep 17 00:00:00 2001
From: Jan Beulich <jbeulich@suse.com>
Date: Mon, 4 Nov 2013 10:10:04 +0100
Subject: [PATCH] x86/ACPI/x2APIC: guard against out of range ACPI or APIC IDs

Other than for the legacy APIC, the x2APIC MADT entries have valid
ranges possibly extending beyond what our internal arrays can handle,
and hence we need to guard ourselves against corrupting memory here.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Keir Fraser <keir@xen.org>
---
 xen/arch/x86/acpi/boot.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/xen/arch/x86/acpi/boot.c b/xen/arch/x86/acpi/boot.c
index 0e1d570c29..df264233cd 100644
--- a/xen/arch/x86/acpi/boot.c
+++ b/xen/arch/x86/acpi/boot.c
@@ -97,7 +97,20 @@ acpi_parse_x2apic(struct acpi_subtable_header *header, const unsigned long end)
 
 	acpi_table_print_madt_entry(header);
 
-	/* Record local apic id only when enabled */
+	/* Record local apic id only when enabled and fitting. */
+	if (processor->local_apic_id >= MAX_APICS ||
+	    processor->uid >= MAX_MADT_ENTRIES) {
+		printk("%sAPIC ID %#x and/or ACPI ID %#x beyond limit"
+		       " - processor ignored\n",
+		       processor->lapic_flags & ACPI_MADT_ENABLED ?
+				KERN_WARNING "WARNING: " : KERN_INFO,
+		       processor->local_apic_id, processor->uid);
+		/*
+		 * Must not return an error here, to prevent
+		 * acpi_table_parse_entries() from terminating early.
+		 */
+		return 0 /* -ENOSPC */;
+	}
 	if (processor->lapic_flags & ACPI_MADT_ENABLED) {
 		x86_acpiid_to_apicid[processor->uid] =
 			processor->local_apic_id;
-- 
2.30.2