$NetBSD: patch-CVE-2012-3498,v 1.2 2012/11/14 13:42:41 drochner Exp $

contains patch for CVE-2012-3495
see http://lists.xen.org/archives/html/xen-devel/2012-09/msg00187.html
and http://lists.xen.org/archives/html/xen-devel/2012-09/msg00197.html
and patch for CVE-2012-4536
see http://lists.xen.org/archives/html/xen-devel/2012-11/msg00503.html

--- xen/arch/x86/physdev.c.orig	2012-08-10 13:51:46.000000000 +0000
+++ xen/arch/x86/physdev.c
@@ -40,11 +40,18 @@ static int physdev_hvm_map_pirq(
         struct hvm_girq_dpci_mapping *girq;
         uint32_t machine_gsi = 0;
 
+        if ( map->index < 0 || map->index >= NR_HVM_IRQS )
+        {
+            ret = -EINVAL;
+            break;
+        }
+
         /* find the machine gsi corresponding to the
          * emulated gsi */
         hvm_irq_dpci = domain_get_irq_dpci(d);
         if ( hvm_irq_dpci )
         {
+            BUILD_BUG_ON(ARRAY_SIZE(hvm_irq_dpci->girq) < NR_HVM_IRQS);
             list_for_each_entry ( girq,
                                   &hvm_irq_dpci->girq[map->index],
                                   list )
@@ -230,6 +237,10 @@ static int physdev_unmap_pirq(struct phy
     if ( ret )
         return ret;
 
+    ret = -EINVAL;
+    if ( unmap->pirq < 0 || unmap->pirq >= d->nr_pirqs )
+	goto free_domain;
+
     if ( is_hvm_domain(d) )
     {
         spin_lock(&d->event_lock);
@@ -587,11 +598,16 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
             break;
 
         spin_lock(&d->event_lock);
-        out.pirq = get_free_pirq(d, out.type, 0);
-        d->arch.pirq_irq[out.pirq] = PIRQ_ALLOCATED;
+        ret = get_free_pirq(d, out.type, 0);
+        if ( ret >= 0 )
+            d->arch.pirq_irq[ret] = PIRQ_ALLOCATED;
         spin_unlock(&d->event_lock);
 
-        ret = copy_to_guest(arg, &out, 1) ? -EFAULT : 0;
+        if ( ret >= 0 )
+        {
+            out.pirq = ret;
+            ret = copy_to_guest(arg, &out, 1) ? -EFAULT : 0;
+        }
 
         rcu_unlock_domain(d);
         break;
