1 files changed, 34 insertions, 0 deletions

diff --git a/main/xen/xsa164.patch b/main/xen/xsa164.patch
new file mode 100644
index 0000000000..39ffccc40f
--- /dev/null
+++ b/main/xen/xsa164.patch
@@ -0,0 +1,34 @@
+MSI-X: avoid array overrun upon MSI-X table writes
+
+pt_msix_init() allocates msix->msix_entry[] to just cover
+msix->total_entries entries. While pci_msix_readl() resorts to reading
+physical memory for out of bounds reads, pci_msix_writel() so far
+simply accessed/corrupted unrelated memory.
+
+pt_iomem_map()'s call to cpu_register_physical_memory() registers a
+page granular region, which is necessary as the Pending Bit Array may
+share space with the MSI-X table (but nothing else is allowed to). This
+also explains why pci_msix_readl() actually honors out of bounds reads,
+but pci_msi_writel() doesn't need to.
+
+This is XSA-164.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+--- a/hw/pt-msi.c
++++ b/hw/pt-msi.c
+@@ -440,6 +440,13 @@ static void pci_msix_writel(void *opaque
+         return;
+     }
+ 
++    if ( addr - msix->mmio_base_addr >= msix->total_entries * 16 )
++    {
++        PT_LOG("Error: Out of bounds write to MSI-X table,"
++               " addr %016"PRIx64"\n", addr);
++        return;
++    }
++
+     entry_nr = (addr - msix->mmio_base_addr) / 16;
+     entry = &msix->msix_entry[entry_nr];
+     offset = ((addr - msix->mmio_base_addr) % 16) / 4;