XSA-155 fixes

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAABAgAGBQJWdCNCAAoJEIlPj0hw4a6QdgQQANgyTTcN0lKonOn+FunmRl3I K0en2SEck+kS6vr0SlAkIi6uur3XMATsMZPbGf+kn2+7v92sKf7DG2iS0Vszng49 IjMOVaGo1ujzMWHqOq6y29gfxOANXCvnGW9YTIJ3S4xfqJdGqdZ9JY/BpAAVPaVA hjJqKCQZE1bN1LpPYfkG9UZwR3rzWNDeDZBm4uqJ1wSY74+39E8Ocb+r1LlfghmU DR9L1ObTXvMLWB6/h0JRkPhKkAvxku8tmN9CDD+RxGvzSkSkRg7bLXVpY1eOwawn EgNAr1MV5fUFYMMKKuFWeXGuqYd1sa6u5Ggm2lt5lzZ/9jRp5+Xk7KHbav23clSh pydVTRYFWE1jtve7E/HsB0Xry5J2V+EH9XuTxMVWUlEadBtb+Ic2Mt5GTaClY0aD e7qKUpolBOvPOtEMklB8BRt8pAs2Y+m7tr5+n3q90yb757yOtjY/4Pvij3FgGBRW /j43fYck5UX96KlwQzSZmX+7EuaeBFNY1fHTyg2F9DDpens/1sLdykXWdp9SvjAf iUxpjb9VZwn2BkvEm1mm2gJcEHuxbaHyLdReOv+Hlx1HwYoIMXT+RLnUxsnIjH1I ipYoiUnjSPzz7wy5SM9+mTsHFiM37tIoVrPNfwPM9Oi0dBNyl8u+Hg9e4uW/8gwn +Hf6qccip0YGLGfD1ujq =9VGa -----END PGP SIGNATURE----- Merge remote-tracking branch 'remotes/sstabellini/tags/xsa155' into staging XSA-155 fixes # gpg: Signature made Fri 18 Dec 2015 15:16:18 GMT using RSA key ID 70E1AE90 # gpg: Good signature from "Stefano Stabellini <stefano.stabellini@eu.citrix.com>" * remotes/sstabellini/tags/xsa155: xenfb: avoid reading twice the same fields from the shared page xen/blkif: Avoid double access to src->nr_segments Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-12-18 15:32:32 +00:00 · 2015-12-18 15:32:32 +00:00 · 6126bc5522
parent 18f49881cf 7ea11bf376
commit 6126bc5522
2 changed files with 14 additions and 8 deletions
--- a/hw/block/xen_blkif.h
+++ b/hw/block/xen_blkif.h
@ -85,8 +85,10 @@ static inline void blkif_get_x86_32_req(blkif_request_t *dst, blkif_x86_32_reque
 		d->nr_sectors = s->nr_sectors;
 		return;
 	}
-	if (n > src->nr_segments)
-		n = src->nr_segments;
+	/* prevent the compiler from optimizing the code and using src->nr_segments instead */
+	barrier();
+	if (n > dst->nr_segments)
+		n = dst->nr_segments;
 	for (i = 0; i < n; i++)
 		dst->seg[i] = src->seg[i];
 }
@ -106,8 +108,10 @@ static inline void blkif_get_x86_64_req(blkif_request_t *dst, blkif_x86_64_reque
 		d->nr_sectors = s->nr_sectors;
 		return;
 	}
-	if (n > src->nr_segments)
-		n = src->nr_segments;
+	/* prevent the compiler from optimizing the code and using src->nr_segments instead */
+	barrier();
+	if (n > dst->nr_segments)
+		n = dst->nr_segments;
 	for (i = 0; i < n; i++)
 		dst->seg[i] = src->seg[i];
 }
--- a/hw/display/xenfb.c
+++ b/hw/display/xenfb.c
@ -784,18 +784,20 @@ static void xenfb_invalidate(void *opaque)

 static void xenfb_handle_events(struct XenFB *xenfb)
 {
-    uint32_t prod, cons;
+    uint32_t prod, cons, out_cons;
    struct xenfb_page *page = xenfb->c.page;

    prod = page->out_prod;
-    if (prod == page->out_cons)
+    out_cons = page->out_cons;
+    if (prod == out_cons)
 	return;
    xen_rmb();		/* ensure we see ring contents up to prod */
-    for (cons = page->out_cons; cons != prod; cons++) {
+    for (cons = out_cons; cons != prod; cons++) {
 	union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);
+        uint8_t type = event->type;
 	int x, y, w, h;

-	switch (event->type) {
+	switch (type) {
 	case XENFB_TYPE_UPDATE:
 	    if (xenfb->up_count == UP_QUEUE)
 		xenfb->up_fullscreen = 1;