Description: xen: add missing guest address range checks to XENMEM_exchange handlers
 Ever since its existence (3.0.3 iirc) the handler for this has been
 using non address range checking guest memory accessors (i.e.
 the ones prefixed with two underscores) without first range
 checking the accessed space (via guest_handle_okay()), allowing
 a guest to access and overwrite hypervisor memory.
From: Jan Beulich <jbeulich@suse.com>
Origin: upstream
Id: CVE-2012-5513
---
--- a/xen/common/compat/memory.c
+++ b/xen/common/compat/memory.c
@@ -114,6 +114,12 @@ int compat_memory_op(unsigned int cmd, XEN_GUEST_HANDLE(void) compat)
                   (cmp.xchg.out.nr_extents << cmp.xchg.out.extent_order)) )
                 return -EINVAL;
 
+            if ( !compat_handle_okay(cmp.xchg.in.extent_start,
+                                     cmp.xchg.in.nr_extents) ||
+                 !compat_handle_okay(cmp.xchg.out.extent_start,
+                                     cmp.xchg.out.nr_extents) )
+                return -EFAULT;
+
             start_extent = cmp.xchg.nr_exchanged;
             end_extent = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.xchg)) /
                          (((1U << ABS(order_delta)) + 1) *
--- a/xen/common/memory.c
+++ b/xen/common/memory.c
@@ -289,6 +289,13 @@ static long memory_exchange(XEN_GUEST_HANDLE(xen_memory_exchange_t) arg)
         goto fail_early;
     }
 
+    if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) ||
+         !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) )
+    {
+        rc = -EFAULT;
+        goto fail_early;
+    }
+
     /* Only privileged guests can allocate multi-page contiguous extents. */
     if ( !multipage_allocation_permitted(current->domain,
                                          exch.in.extent_order) ||
