From 0ebf9bb42d7cb94e28a69cfc8efeb17dc9468955 Mon Sep 17 00:00:00 2001 From: Elliott Mitchell Date: Tue, 11 May 2021 15:11:06 -0700 Subject: [PATCH] xen/intr: fix overflow of Xen interrupt range The comparison was wrong. Hopefully this never occurred in the wild, but now ensure the error message will occur before damage is caused. This appears non-exploitable as exploitation would require a guest to force Domain 0 to allocate all event channels, which a guest shouldn't be able to do. Adjust the error message to better describe what has occurred. Reviewed by: royger MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D30743 --- sys/x86/xen/xen_intr.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/x86/xen/xen_intr.c b/sys/x86/xen/xen_intr.c index 37b18c05b8a6..ca0f56a8546a 100644 --- a/sys/x86/xen/xen_intr.c +++ b/sys/x86/xen/xen_intr.c @@ -314,10 +314,10 @@ xen_intr_alloc_isrc(enum evtchn_type type) KASSERT(mtx_owned(&xen_intr_isrc_lock), ("Evtchn alloc lock not held")); - if (xen_intr_auto_vector_count > NR_EVENT_CHANNELS) { + if (xen_intr_auto_vector_count >= NR_EVENT_CHANNELS) { if (!warned) { warned = 1; - printf("%s: Event channels exhausted.\n", __func__); + printf("%s: Xen interrupts exhausted.\n", __func__); } return (NULL); }