This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] [PATCH] Off-by-one in cpu_gdt_init

To: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-devel] [PATCH] Off-by-one in cpu_gdt_init
From: David Hopwood <david.nospam.hopwood@xxxxxxxxxxxxxxxx>
Date: Mon, 06 Jun 2005 17:14:15 +0100
Delivery-date: Mon, 06 Jun 2005 16:13:27 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <Pine.LNX.4.60.0506061132180.3202@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <Pine.LNX.4.60.0506061132180.3202@xxxxxxxxxxxxxxxxxxxxxx>
Reply-to: david.nospam.hopwood@xxxxxxxxxxxxxxxx
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)
George Washington Dunlap III wrote:
I forget what triggered this bug (it was a long time ago), but cpu_gdt_init() is trying to allocate an array, one per frame, based on gdt_descr->size. However, the math currently rounds down instead of up! (I'm pretty sure that when I triggered it, (gdt_descr->size>>PAGE_SHIFT) was 0.)

diff -urN --exclude=SCCS --exclude=BitKeeper 
    2005-05-16 13:05:03.000000000 -0400
+++ xeno-ft/linux-2.6.11-xen-sparse/arch/xen/i386/kernel/cpu/common.c   
2005-05-16 13:55:06.000000000 -0400
@@ -554,7 +554,7 @@
void __init cpu_gdt_init(struct Xgt_desc_struct *gdt_descr)
-       unsigned long frames[gdt_descr->size >> PAGE_SHIFT];
+       unsigned long frames[(gdt_descr->size >> PAGE_SHIFT)+1];

Variable-length arrays? Never use variable-length arrays in code that needs
to be robust: you can't guarantee that the stack won't overflow. If it does,
there is no way to detect that situtation (unlike malloc et al where you can
check for NULL), you just get undefined behaviour.

David Hopwood <david.nospam.hopwood@xxxxxxxxxxxxxxxx>

Xen-devel mailing list

<Prev in Thread] Current Thread [Next in Thread>