git: 0ebf9bb42d7c - main - xen/intr: fix overflow of Xen interrupt range

From: Roger Pau Monné <royger_at_FreeBSD.org>
Date: Wed, 29 Mar 2023 07:52:27 UTC
The branch main has been updated by royger:

URL: https://cgit.FreeBSD.org/src/commit/?id=0ebf9bb42d7cb94e28a69cfc8efeb17dc9468955

commit 0ebf9bb42d7cb94e28a69cfc8efeb17dc9468955
Author:     Elliott Mitchell <ehem+freebsd@m5p.com>
AuthorDate: 2021-05-11 22:11:06 +0000
Commit:     Roger Pau Monné <royger@FreeBSD.org>
CommitDate: 2023-03-29 07:51:39 +0000

    xen/intr: fix overflow of Xen interrupt range
    
    The comparison was wrong.  Hopefully this never occurred in the wild,
    but now ensure the error message will occur before damage is caused.
    This appears non-exploitable as exploitation would require a guest to
    force Domain 0 to allocate all event channels, which a guest shouldn't
    be able to do.
    
    Adjust the error message to better describe what has occurred.
    
    Reviewed by: royger
    MFC after: 1 week
    Differential Revision: https://reviews.freebsd.org/D30743
---
 sys/x86/xen/xen_intr.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/x86/xen/xen_intr.c b/sys/x86/xen/xen_intr.c
index 37b18c05b8a6..ca0f56a8546a 100644
--- a/sys/x86/xen/xen_intr.c
+++ b/sys/x86/xen/xen_intr.c
@@ -314,10 +314,10 @@ xen_intr_alloc_isrc(enum evtchn_type type)
 
 	KASSERT(mtx_owned(&xen_intr_isrc_lock), ("Evtchn alloc lock not held"));
 
-	if (xen_intr_auto_vector_count > NR_EVENT_CHANNELS) {
+	if (xen_intr_auto_vector_count >= NR_EVENT_CHANNELS) {
 		if (!warned) {
 			warned = 1;
-			printf("%s: Event channels exhausted.\n", __func__);
+			printf("%s: Xen interrupts exhausted.\n", __func__);
 		}
 		return (NULL);
 	}