memory: fix off-by-one in XSA-346 change

The comparison against ARRAY_SIZE() needs to be >= in order to avoid
overrunning the pages[] array.

This is XSA-355.

Fixes: 5777a3742d88 ("IOMMU: hold page ref until after deferred TLB flush")
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Julien Grall <jgrall@amazon.com>
master commit: 9b156bcc3ffcc7949edd4460b718a241e87ae302
master date: 2020-11-24 14:01:31 +0100

diff --git a/xen/common/memory.c b/xen/common/memory.c
index 08fc9252a31b156cb8f91c36c94c3bc7f76004c3..b08c614e391f806dfd1ce5df207a6421659bcb50 100644 (file)
--- a/xen/common/memory.c
+++ b/xen/common/memory.c
@@ -807,7 +807,7 @@ static int xenmem_add_to_physmap(struct domain *d,
             ++extra.ppage;
 
         /* Check for continuation if it's not the last iteration. */
-        if ( (++done > ARRAY_SIZE(pages) && extra.ppage) ||
+        if ( (++done >= ARRAY_SIZE(pages) && extra.ppage) ||
              (xatp->size > done && hypercall_preempt_check()) )
         {
             rc = start + done;