Xen devel - Sep 2012 - [PATCH 03/11] tmem: check the pool_id is valid when destroying a tmem pool

This is part of XSA-15 / CVE-2012-3497.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/common/tmem.c
+++ b/xen/common/tmem.c
@@ -1870,6 +1870,8 @@ static NOINLINE int do_tmem_destroy_pool
 
     if ( client->pools == NULL )
         return 0;
+    if ( pool_id >= MAX_POOLS_PER_DOMAIN )
+        return 0;
     if ( (pool = client->pools[pool_id]) == NULL )
         return 0;
     client->pools[pool_id] = NULL;





_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

> From: Jan Beulich [mailto:JBeulich@suse.com]
> Sent: Wednesday, September 05, 2012 6:35 AM
> To: xen-devel
> Cc: Dan Magenheimer; Zhenzhong Duan
> Subject: [PATCH 03/11] tmem: check the pool_id is valid when destroying a
tmem pool
> 
> This is part of XSA-15 / CVE-2012-3497.
> 
> Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
> Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com>
> --- a/xen/common/tmem.c
> +++ b/xen/common/tmem.c
> @@ -1870,6 +1870,8 @@ static NOINLINE int do_tmem_destroy_pool
> 
>      if ( client->pools == NULL )
>          return 0;
> +    if ( pool_id >= MAX_POOLS_PER_DOMAIN )
> +        return 0;
>      if ( (pool = client->pools[pool_id]) == NULL )
>          return 0;
>      client->pools[pool_id] = NULL;
> 
> 
>