File CVE-2012-5512-xsa28.patch of Package xen.openSUSE_12.1_Update

References: CVE-2012-5512 XSA-28 bnc#789940

x86/HVM: range check xen_hvm_set_mem_access.hvmmem_access before use

Otherwise an out of bounds array access can happen if changing the
default access is being requested, which - if it doesn't crash Xen -
would subsequently allow reading arbitrary memory through
HVMOP_get_mem_access (again, unless that operation crashes Xen).

This is XSA-28 / CVE-2012-5512.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Tim Deegan <tim@xen.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -3825,7 +3825,7 @@ long do_hvm_op(unsigned long op, XEN_GUE
             return rc;
 
         rc = -EINVAL;
-        if ( !is_hvm_domain(d) )
+        if ( !is_hvm_domain(d) || a.hvmmem_access >= ARRAY_SIZE(memaccess) )
             goto param_fail5;
 
         p2m = p2m_get_hostp2m(d);
@@ -3845,9 +3845,6 @@ long do_hvm_op(unsigned long op, XEN_GUE
              ((a.first_pfn + a.nr - 1) > domain_get_maximum_gpfn(d)) )
             goto param_fail5;
             
-        if ( a.hvmmem_access >= ARRAY_SIZE(memaccess) )
-            goto param_fail5;
-
         for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ )
         {
             p2m_type_t t;