alternatives: correct near branch check

Jan Beulich Fri, 04 Mar 2016 03:28:27 -0800

Make sure the near JMP/CALL check doesn't consume uninitialized
data, not even in a benign way. And relax the length check at once.


Signed-off-by: Jan Beulich <jbeul...@suse.com>

--- a/xen/arch/x86/alternative.c
+++ b/xen/arch/x86/alternative.c
@@ -174,7 +174,7 @@ static void __init apply_alternatives(st
         memcpy(insnbuf, replacement, a->replacementlen);
 
         /* 0xe8/0xe9 are relative branches; fix the offset. */
-        if ( (*insnbuf & 0xfe) == 0xe8 && a->replacementlen == 5 )
+        if ( a->replacementlen >= 5 && (*insnbuf & 0xfe) == 0xe8 )
             *(s32 *)(insnbuf + 1) += replacement - instr;
 
         add_nops(insnbuf + a->replacementlen,

x86/alternatives: correct near branch check

Make sure the near JMP/CALL check doesn't consume uninitialized
data, not even in a benign way. And relax the length check at once.

Signed-off-by: Jan Beulich <jbeul...@suse.com>

--- a/xen/arch/x86/alternative.c
+++ b/xen/arch/x86/alternative.c
@@ -174,7 +174,7 @@ static void __init apply_alternatives(st
         memcpy(insnbuf, replacement, a->replacementlen);
 
         /* 0xe8/0xe9 are relative branches; fix the offset. */
-        if ( (*insnbuf & 0xfe) == 0xe8 && a->replacementlen == 5 )
+        if ( a->replacementlen >= 5 && (*insnbuf & 0xfe) == 0xe8 )
             *(s32 *)(insnbuf + 1) += replacement - instr;
 
         add_nops(insnbuf + a->replacementlen,

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

[Xen-devel] [PATCH 1/4] x86/alternatives: correct near branch check

Reply via email to