nr_mods is set in add_boot_module() to the number of module

array elements used. This function also ensures that nr_mods

never exceeds MAX_MODULES (the size of the array). When looping

through the array, the correct maximum index is "nr_mods-1",

not "nr_mods". If the array is full, using the latter will in

fact access beyond the end of the array.

This was done correctly in boot_module_find_by_kind() and

consider_modules() but incorrectly in discard_initial_modules()

and next_module().

 

Signed-off-by: Chris Brand <chris.brand@broadcom.com>

---

xen/arch/arm/setup.c | 4 ++--

1 file changed, 2 insertions(+), 2 deletions(-)

 

diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c

index 06f8e54b1f04..5daa6db919ac 100644

--- a/xen/arch/arm/setup.c

+++ b/xen/arch/arm/setup.c

@@ -250,7 +250,7 @@ void __init discard_initial_modules(void)

     struct bootmodules *mi = &bootinfo.modules;

     int i;

-    for ( i = 0; i <= mi->nr_mods; i++ )

+    for ( i = 0; i < mi->nr_mods; i++ )

     {

         paddr_t s = mi->module[i].start;

         paddr_t e = s + PAGE_ALIGN(mi->module[i].size);

@@ -350,7 +350,7 @@ static paddr_t __init next_module(paddr_t s, paddr_t *end)

     paddr_t lowest = ~(paddr_t)0;

     int i;

-    for ( i = 0; i <= mi->nr_mods; i++ )

+    for ( i = 0; i < mi->nr_mods; i++ )

     {

         paddr_t mod_s = mi->module[i].start;

         paddr_t mod_e = mod_s + mi->module[i].size;

--

1.9.1