WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel] [PATCH 1/2] libxc: Check full range of pfns for xc_dom_pfn_t

To: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-devel] [PATCH 1/2] libxc: Check full range of pfns for xc_dom_pfn_to_ptr
From: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
Date: Tue, 2 Feb 2010 17:22:56 +0000
Delivery-date: Tue, 02 Feb 2010 09:24:15 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
# Date 1265130967 0
# Node ID 5fc5ee3e3530d38a21d00b4ec2d559b47a23cf07
# Parent  72c359823655427fed7418f0a1cdd39d496ec571
libxc: Check full range of pfns for xc_dom_pfn_to_ptr

Previously, passing a valid pfn but an overly large count to
xc_dom_pfn_to_ptr, and functions which call it, would run off the end
of the pfn array giving undefined behaviour.

It is tempting to change this check to an assert, as no callers should
be providing invalid parameters here.  But this is probably best not
done while frozen for 4.0.

Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>

diff -r 72c359823655 -r 5fc5ee3e3530 tools/libxc/xc_dom_core.c
--- a/tools/libxc/xc_dom_core.c Tue Feb 02 15:47:36 2010 +0000
+++ b/tools/libxc/xc_dom_core.c Tue Feb 02 17:16:07 2010 +0000
@@ -288,7 +288,9 @@
     unsigned int page_shift = XC_DOM_PAGE_SHIFT(dom);
     char *mode = "unset";
 
-    if ( pfn > dom->total_pages )
+    if ( pfn > dom->total_pages ||    /* multiple checks to avoid overflows */
+         count > dom->total_pages ||
+         pfn > dom->total_pages - count )
     {
         xc_dom_printf("%s: pfn out of range (0x%" PRIpfn " > 0x%" PRIpfn ")\n",
                       __FUNCTION__, pfn, dom->total_pages);

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

<Prev in Thread] Current Thread [Next in Thread>