$NetBSD: patch-CVE-2012-3496,v 1.3 2012/12/05 19:16:26 drochner Exp $

see http://lists.xen.org/archives/html/xen-devel/2012-09/msg00194.html

fix for CVE-2012-4537 is also here, see
http://lists.xen.org/archives/html/xen-devel/2012-11/msg00507.html

fix for CVE-2012-5514 is also here, see
http://lists.xen.org/archives/html/xen-announce/2012-12/msg00005.html

--- xen/arch/x86/mm/p2m.c.orig	2012-08-10 13:51:45.000000000 +0000
+++ xen/arch/x86/mm/p2m.c
@@ -2414,7 +2414,11 @@ guest_physmap_mark_populate_on_demand(st
     int pod_count = 0;
     int rc = 0;
 
-    BUG_ON(!paging_mode_translate(d));
+    if ( !IS_PRIV_FOR(current->domain, d) )
+	return -EPERM;
+
+    if ( !paging_mode_translate(d) )
+        return -EINVAL;
 
     rc = gfn_check_limit(d, gfn, order);
     if ( rc != 0 )
@@ -2431,8 +2435,7 @@ guest_physmap_mark_populate_on_demand(st
         omfn = gfn_to_mfn_query(p2m, gfn + i, &ot);
         if ( p2m_is_ram(ot) )
         {
-            printk("%s: gfn_to_mfn returned type %d!\n",
-                   __func__, ot);
+            P2M_DEBUG("gfn_to_mfn returned type %d!\n", ot);
             rc = -EBUSY;
             goto out;
         }
@@ -2454,10 +2457,10 @@ guest_physmap_mark_populate_on_demand(st
         BUG_ON(p2m->pod.entry_count < 0);
     }
 
+out:
     audit_p2m(p2m, 1);
     p2m_unlock(p2m);
 
-out:
     return rc;
 }
 
@@ -2559,7 +2562,10 @@ guest_physmap_add_entry(struct p2m_domai
     if ( mfn_valid(_mfn(mfn)) ) 
     {
         if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) )
+	{
             rc = -EINVAL;
+	    goto out; /* Failed to update p2m, bail without updating m2p. */
+	}
         if ( !p2m_is_grant(t) )
         {
             for ( i = 0; i < (1UL << page_order); i++ )
@@ -2580,6 +2586,7 @@ guest_physmap_add_entry(struct p2m_domai
         }
     }
 
+out:
     audit_p2m(p2m, 1);
     p2m_unlock(p2m);
 
