File xsa238.patch of Package xen.11298

From: XenProject Security Team <security@xenproject.org>
Subject: x86/ioreq server: correctly handle bogus
 XEN_DMOP_{,un}map_io_range_to_ioreq_server arguments

Misbehaving device model can pass incorrect XEN_DMOP_map/
unmap_io_range_to_ioreq_server arguments, namely end < start when
specifying address range. When this happens we hit ASSERT(s <= e) in
rangeset_contains_range()/rangeset_overlaps_range() with debug builds.
Production builds will not trap right away but may misbehave later
while handling such bogus ranges.

This is XSA-238.

Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
 xen/arch/x86/hvm/hvm.c | 6 ++++++
 1 file changed, 6 insertions(+)

Index: xen-4.5.5-testing/xen/arch/x86/hvm/hvm.c
===================================================================
--- xen-4.5.5-testing.orig/xen/arch/x86/hvm/hvm.c
+++ xen-4.5.5-testing/xen/arch/x86/hvm/hvm.c
@@ -1158,6 +1158,9 @@ static int hvm_map_io_range_to_ioreq_ser
     struct hvm_ioreq_server *s;
     int rc;
 
+    if ( start > end )
+        return -EINVAL;
+
     spin_lock_recursive(&d->arch.hvm_domain.ioreq_server.lock);
 
     rc = -ENOENT;
@@ -1209,6 +1212,9 @@ static int hvm_unmap_io_range_from_ioreq
     struct hvm_ioreq_server *s;
     int rc;
 
+    if ( start > end )
+        return -EINVAL;
+
     spin_lock_recursive(&d->arch.hvm_domain.ioreq_server.lock);
 
     rc = -ENOENT;