compat/memory: avoid UB shifts in XENMEM_exchange handling

Add an early basic check, yielding the same error code as the more
thorough one the main handler would produce.

Fixes: b8a7efe8528a ("Enable compatibility mode operation for HYPERVISOR_memory_op")
Reported-by: Manuel Andreas <manuel.andreas@tum.de>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Jason Andryuk <jason.andryuk@amd.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
master commit: 560c51be8f6a88cde43c0a7c8be60158b5725982
master date: 2025-04-22 11:25:23 +0200

diff --git a/xen/common/compat/memory.c b/xen/common/compat/memory.c
index 45e5fb0e5d75ce1a5622da620281891eb39800ae..e3eb3c01a1187b7c109043fc8613538b5af77145 100644 (file)
--- a/xen/common/compat/memory.c
+++ b/xen/common/compat/memory.c
@@ -161,6 +161,11 @@ int compat_memory_op(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
             if ( copy_from_guest(&cmp.xchg, arg, 1) )
                 return -EFAULT;
 
+            /* Early coarse check, as max_order() isn't available here. */
+            if ( cmp.xchg.in.extent_order >= 32 ||
+                 cmp.xchg.out.extent_order >= 32 )
+                return -EPERM;
+
             order_delta = cmp.xchg.out.extent_order - cmp.xchg.in.extent_order;
             /* Various sanity checks. */
             if ( (cmp.xchg.nr_exchanged > cmp.xchg.in.nr_extents) ||