Description: xen/mm/shadow: check toplevel pagetables are present before unhooking them.
 If the guest has not fully populated its top-level PAE entries when it calls
 HVMOP_pagetable_dying, the shadow code could try to unhook entries from
 MFN 0.  Add a check to avoid that case.
From: Tim Deegan <tim@xen.org>
Origin: upstream, commit:23409:61eb3d030f52
Id: CVE-2012-4538
---
diff -r f635b1447d7e -r 61eb3d030f52 xen/arch/x86/mm/shadow/multi.c
--- a/xen/arch/x86/mm/shadow/multi.c	Wed Nov 14 11:40:45 2012 +0000
+++ b/xen/arch/x86/mm/shadow/multi.c	Wed Nov 14 11:43:29 2012 +0000
@@ -4737,8 +4737,12 @@
     }
     for ( i = 0; i < 4; i++ )
     {
-        if ( fast_path )
-            smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
+        if ( fast_path ) {
+            if ( pagetable_is_null(v->arch.shadow_table[i]) )
+                smfn = _mfn(INVALID_MFN);
+            else
+                smfn = _mfn(pagetable_get_pfn(v->arch.shadow_table[i]));
+        }
         else
         {
             /* retrieving the l2s */
