ia64/xen-unstable

changeset 12043:c3b4fef4f751

[LINUX] privcmd: Range-check hypercall index.
Otherwise, bugs in e.g. libxc may bring the kernel down.
Signed-off-by: Jan Beulich <jbeulich@novell.com>
author kfraser@localhost.localdomain
date Mon Oct 30 14:04:44 2006 +0000 (2006-10-30)
parents 7e52933a46b1
children 44caba9460af
files linux-2.6-xen-sparse/drivers/xen/privcmd/privcmd.c
line diff
     1.1 --- a/linux-2.6-xen-sparse/drivers/xen/privcmd/privcmd.c	Mon Oct 30 13:53:09 2006 +0000
     1.2 +++ b/linux-2.6-xen-sparse/drivers/xen/privcmd/privcmd.c	Mon Oct 30 14:04:44 2006 +0000
     1.3 @@ -53,6 +53,8 @@ static int privcmd_ioctl(struct inode *i
     1.4  			return -EFAULT;
     1.5  
     1.6  #if defined(__i386__)
     1.7 +		if (hypercall.op >= (PAGE_SIZE >> 5))
     1.8 +			break;
     1.9  		__asm__ __volatile__ (
    1.10  			"pushl %%ebx; pushl %%ecx; pushl %%edx; "
    1.11  			"pushl %%esi; pushl %%edi; "
    1.12 @@ -69,21 +71,21 @@ static int privcmd_ioctl(struct inode *i
    1.13  			"popl %%ecx; popl %%ebx"
    1.14  			: "=a" (ret) : "0" (&hypercall) : "memory" );
    1.15  #elif defined (__x86_64__)
    1.16 -		{
    1.17 +		if (hypercall.op < (PAGE_SIZE >> 5)) {
    1.18  			long ign1, ign2, ign3;
    1.19  			__asm__ __volatile__ (
    1.20  				"movq %8,%%r10; movq %9,%%r8;"
    1.21 -				"shlq $5,%%rax ;"
    1.22 +				"shll $5,%%eax ;"
    1.23  				"addq $hypercall_page,%%rax ;"
    1.24  				"call *%%rax"
    1.25  				: "=a" (ret), "=D" (ign1),
    1.26  				  "=S" (ign2), "=d" (ign3)
    1.27 -				: "0" ((unsigned long)hypercall.op), 
    1.28 -				"1" ((unsigned long)hypercall.arg[0]), 
    1.29 -				"2" ((unsigned long)hypercall.arg[1]),
    1.30 -				"3" ((unsigned long)hypercall.arg[2]), 
    1.31 -				"g" ((unsigned long)hypercall.arg[3]),
    1.32 -				"g" ((unsigned long)hypercall.arg[4])
    1.33 +				: "0" ((unsigned int)hypercall.op),
    1.34 +				"1" (hypercall.arg[0]),
    1.35 +				"2" (hypercall.arg[1]),
    1.36 +				"3" (hypercall.arg[2]),
    1.37 +				"g" (hypercall.arg[3]),
    1.38 +				"g" (hypercall.arg[4])
    1.39  				: "r8", "r10", "memory" );
    1.40  		}
    1.41  #elif defined (__ia64__)