From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Thu, 11 Jun 2015 13:02:35 +0000 (+0200)
Subject: x86/traps: loop in the correct direction in compat_iret()
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=15e1ed9ae79f27a0901c71c5b35075f95f8fbfe7;p=xen.git

x86/traps: loop in the correct direction in compat_iret()

This is CVE-2015-4164 / XSA-136.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
master commit: 1f0721377952fc038b48f175d7061ec701359aac
master date: 2015-06-11 14:44:47 +0200
---

diff --git a/xen/arch/x86/x86_64/compat/traps.c b/xen/arch/x86/x86_64/compat/traps.c
index 5f0ea0a398..0b784451ac 100644
--- a/xen/arch/x86/x86_64/compat/traps.c
+++ b/xen/arch/x86/x86_64/compat/traps.c
@@ -119,7 +119,7 @@ unsigned int compat_iret(void)
         }
         else if ( ksp > regs->_esp )
         {
-            for (i = 9; i > 0; ++i)
+            for ( i = 9; i > 0; --i )
             {
                 rc |= __get_user(x, (u32 *)regs->rsp + i);
                 rc |= __put_user(x, (u32 *)(unsigned long)ksp + i);