From 1f0721377952fc038b48f175d7061ec701359aac Mon Sep 17 00:00:00 2001
From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Thu, 11 Jun 2015 14:44:47 +0200
Subject: [PATCH] x86/traps: loop in the correct direction in compat_iret()

This is CVE-2015-4164 / XSA-136.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
 xen/arch/x86/x86_64/compat/traps.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xen/arch/x86/x86_64/compat/traps.c b/xen/arch/x86/x86_64/compat/traps.c
index 4b6b9001cd..2dae0c7d8e 100644
--- a/xen/arch/x86/x86_64/compat/traps.c
+++ b/xen/arch/x86/x86_64/compat/traps.c
@@ -119,7 +119,7 @@ unsigned int compat_iret(void)
         }
         else if ( ksp > regs->_esp )
         {
-            for (i = 9; i > 0; ++i)
+            for ( i = 9; i > 0; --i )
             {
                 rc |= __get_user(x, (u32 *)regs->rsp + i);
                 rc |= __put_user(x, (u32 *)(unsigned long)ksp + i);
-- 
2.39.5