Subject: XSA-4: xen: correct limit checking in x86_64 version of __addr_ok

The x86_64 __addr_ok() macro intends to ensure that the checked
address is either in the positive half of the 48-bit virtual address
space, or above the Xen-reserved area. However, the current shift
count is off-by-one, allowing full access to the "negative half"
too. Guests may exploit this to gain access to off-limits ranges.

This issue has been assigned CVE-2011-2901.

Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>

diff --git a/xen/include/asm-x86/x86_64/uaccess.h b/xen/include/asm-x86/x86_64/uaccess.h
--- a/xen/include/asm-x86/x86_64/uaccess.h
+++ b/xen/include/asm-x86/x86_64/uaccess.h
@@ -34,7 +34,7 @@
  * non-canonical address (and thus fault) before ever reaching VIRT_START.
  */
 #define __addr_ok(addr) \
-    (((unsigned long)(addr) < (1UL<<48)) || \
+    (((unsigned long)(addr) < (1UL<<47)) || \
      ((unsigned long)(addr) >= HYPERVISOR_VIRT_END))
 
 #define access_ok(addr, size) \