Description: defer event channel bucket pointer store until after XSM checks
 Otherwise a dangling pointer can be left, which would cause subsequent
 memory corruption as soon as the space got re-allocated for some other
 purpose.
From: Jan Beulich <jbeulich@suse.com>
Origin: upstream
Id: CVE-2013-1920 XSA-47
---
--- a/xen/common/event_channel.c	Tue Apr 02 12:39:15 2013 +0200
+++ b/xen/common/event_channel.c	Fri Apr 05 10:04:03 2013 +0200
@@ -104,7 +104,6 @@
     if ( unlikely(chn == NULL) )
         return -ENOMEM;
     memset(chn, 0, EVTCHNS_PER_BUCKET * sizeof(*chn));
-    bucket_from_port(d, port) = chn;
 
     for ( i = 0; i < EVTCHNS_PER_BUCKET; i++ )
     {
@@ -117,6 +116,8 @@
         }
     }
 
+    bucket_from_port(d, port) = chn;
+
     return port;
 }
 

