WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-devel] Fix PVFB backend to validate frontend's frame buffer des

from [Markus Armbruster] [Permanent Link][Original]
To: Pat Campbell <plc@xxxxxxxxxx>
Subject: Re: [Xen-devel] Fix PVFB backend to validate frontend's frame buffer description
From: Markus Armbruster <armbru@xxxxxxxxxx>
Date: Thu, 15 May 2008 09:40:57 +0200
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Thu, 15 May 2008 00:41:20 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <482B29C9.6010007@xxxxxxxxxx> (Pat Campbell's message of "Wed\, 14 May 2008 12\:04\:57 -0600")
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <877idyxq1i.fsf@xxxxxxxxxxxxxxxxx> <482B29C9.6010007@xxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Gnus/5.11 (Gnus v5.11) Emacs/22.1 (gnu/linux) 
Pat Campbell <plc@xxxxxxxxxx> writes:

> Markus Armbruster wrote:
>> A buggy or malicious frontend can describe its shared framebuffer to
>> the backend in a way that makes the backend map an arbitrary amount of
>>
>>   
> snipped out, see inline question below.
>>
>> diff -r 0a8fc1a62796 tools/ioemu/hw/xenfb.c
>> --- a/tools/ioemu/hw/xenfb.c Mon May 12 11:19:09 2008 +0100
>> +++ b/tools/ioemu/hw/xenfb.c Tue May 13 14:53:58 2008 +0200
>> @@ -28,8 +28,6 @@
[....]
>> +static int xenfb_configure_fb(struct xenfb *xenfb, size_t fb_len_lim,
>> +                          int width, int height, int depth,
>> +                          size_t fb_len, int offset, int row_stride)
>> +{
>> +    size_t mfn_sz = sizeof(*((struct xenfb_page *)0)->pd);
>> +    size_t pd_len = sizeof(((struct xenfb_page *)0)->pd) / mfn_sz;
>> +    size_t fb_pages = pd_len * XC_PAGE_SIZE / mfn_sz;
>> +    size_t fb_len_max = fb_pages * XC_PAGE_SIZE;
>> +    int max_width, max_height;
>> +
>> +    if (fb_len_lim > fb_len_max) {
>> +            fprintf(stderr,
>> +                    "FB: fb size limit %zu exceeds %zu, corrected\n",
>> +                    fb_len_lim, fb_len_max);
>> +            fb_len_lim = fb_len_max;
>> +    }
>> +    if (fb_len > fb_len_lim) {
>> +            fprintf(stderr,
>> +                    "FB: frontend fb size %zu limited to %zu\n",
>> +                    fb_len, fb_len_lim);
>>   
> Do we need to set fb_len to fb_len_lim here?
> fb_len = fb_len_lim;

Yes, we do!  Good catch, thank you.  I have no idea how that got lost.
I'll post a patch.

[...]

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-devel] [PATCH 0/4] HVM Virtual S3, Keir Fraser
Next by Date:  RE: [Xen-devel] VMX status report. Xen: #17630 & Xen0: #540 -- blocked, Li, Haicheng
Previous by Thread:  Re: [Xen-devel] Fix PVFB backend to validate frontend's frame buffer description, Pat Campbell
Next by Thread:  [Xen-devel] [PATCH] ioemu: Fix PVFB backend to limit frame buffer size, Markus Armbruster
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy