diff options
Diffstat (limited to 'main/xen/xsa355.patch')
| -rw-r--r-- | main/xen/xsa355.patch | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/main/xen/xsa355.patch b/main/xen/xsa355.patch new file mode 100644 index 00000000000..491dd05028a --- /dev/null +++ b/main/xen/xsa355.patch @@ -0,0 +1,23 @@ +From: Jan Beulich <jbeulich@suse.com> +Subject: memory: fix off-by-one in XSA-346 change + +The comparison against ARRAY_SIZE() needs to be >= in order to avoid +overrunning the pages[] array. + +This is XSA-355. + +Fixes: 5777a3742d88 ("IOMMU: hold page ref until after deferred TLB flush") +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Julien Grall <jgrall@amazon.com> + +--- a/xen/common/memory.c ++++ b/xen/common/memory.c +@@ -854,7 +854,7 @@ int xenmem_add_to_physmap(struct domain + ++extra.ppage; + + /* Check for continuation if it's not the last iteration. */ +- if ( (++done > ARRAY_SIZE(pages) && extra.ppage) || ++ if ( (++done >= ARRAY_SIZE(pages) && extra.ppage) || + (xatp->size > done && hypercall_preempt_check()) ) + { + rc = start + done; |