Description: x86/physdev: Range check pirq parameter from guests
 Otherwise Xen will read beyond either end of the struct
 domain.arch.pirq_emuirq array, usually resulting in a fatal page fault.
From: Andrew Cooper <andrew.cooper3@citrix.com>
Origin: upstream, commit:23407:210f16b6509b
Id: CVE-2012-4536
---
diff -r 701f5e3321c1 -r 210f16b6509b xen/arch/x86/physdev.c
--- a/xen/arch/x86/physdev.c	Wed Nov 14 11:33:36 2012 +0000
+++ b/xen/arch/x86/physdev.c	Wed Nov 14 11:35:06 2012 +0000
@@ -234,6 +234,10 @@
     if ( ret )
         return ret;
 
+    ret = -EINVAL;
+    if ( unmap->pirq < 0 || unmap->pirq >= d->nr_pirqs )
+        goto free_domain;
+
     if ( is_hvm_domain(d) )
     {
         spin_lock(&d->event_lock);
