blob: c629ada1f4ad92f72b4fdce55a803dd3179f1871 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
$NetBSD: patch-XSA355,v 1.1.2.2 2021/02/18 05:21:21 spz Exp $
From: Jan Beulich <jbeulich@suse.com>
Subject: memory: fix off-by-one in XSA-346 change
The comparison against ARRAY_SIZE() needs to be >= in order to avoid
overrunning the pages[] array.
This is XSA-355.
Fixes: 5777a3742d88 ("IOMMU: hold page ref until after deferred TLB flush")
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Julien Grall <jgrall@amazon.com>
--- xen/common/memory.c.orig
+++ xen/common/memory.c
@@ -854,7 +854,7 @@ int xenmem_add_to_physmap(struct domain
++extra.ppage;
/* Check for continuation if it's not the last iteration. */
- if ( (++done > ARRAY_SIZE(pages) && extra.ppage) ||
+ if ( (++done >= ARRAY_SIZE(pages) && extra.ppage) ||
(xatp->size > done && hypercall_preempt_check()) )
{
rc = start + done;
|