$NetBSD: patch-CVE-2012-5513_1,v 1.1 2012/12/05 19:16:27 drochner Exp $

see http://lists.xen.org/archives/html/xen-announce/2012-12/msg00004.html

--- xen/common/compat/memory.c.orig	2012-08-10 13:51:47.000000000 +0000
+++ xen/common/compat/memory.c
@@ -114,6 +114,12 @@ int compat_memory_op(unsigned int cmd, X
                   (cmp.xchg.out.nr_extents << cmp.xchg.out.extent_order)) )
                 return -EINVAL;
 
+            if ( !compat_handle_okay(cmp.xchg.in.extent_start,
+                                     cmp.xchg.in.nr_extents) ||
+                 !compat_handle_okay(cmp.xchg.out.extent_start,
+                                     cmp.xchg.out.nr_extents) )
+                return -EFAULT;
+
             start_extent = cmp.xchg.nr_exchanged;
             end_extent = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.xchg)) /
                          (((1U << ABS(order_delta)) + 1) *
