| |
|
 |
|
 |
|
|
|
| |
|
|
xen-devel
[Xen-devel] Re: [patch] xen: off by one errors in multicalls.c
|
To: |
Dan Carpenter <error27@xxxxxxxxx> |
|
Subject: |
[Xen-devel] Re: [patch] xen: off by one errors in multicalls.c |
|
From: |
Jeremy Fitzhardinge <jeremy@xxxxxxxx> |
|
Date: |
Fri, 03 Jun 2011 11:24:20 -0700 |
|
Cc: |
Jeremy Fitzhardinge <jeremy.fitzhardinge@xxxxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, "maintainer:X86 ARCHITECTURE..." <x86@xxxxxxxxxx>, kernel-janitors@xxxxxxxxxxxxxxx, "open list:XEN HYPERVISOR IN..." <virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx>, "open list:XEN HYPERVISOR IN..." <xen-devel@xxxxxxxxxxxxxxxxxxx>, "H. Peter Anvin" <hpa@xxxxxxxxx>, Thomas Gleixner <tglx@xxxxxxxxxxxxx>, Ingo Molnar <mingo@xxxxxxxxxx> |
|
Delivery-date: |
Fri, 03 Jun 2011 11:25:19 -0700 |
|
Envelope-to: |
www-data@xxxxxxxxxxxxxxxxxxx |
|
In-reply-to: |
<20110603044528.GD3661@xxxxxxxxxxxxxxxxx> |
|
List-help: |
<mailto:xen-devel-request@lists.xensource.com?subject=help> |
|
List-id: |
Xen developer discussion <xen-devel.lists.xensource.com> |
|
List-post: |
<mailto:xen-devel@lists.xensource.com> |
|
List-subscribe: |
<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe> |
|
List-unsubscribe: |
<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe> |
|
References: |
<20110603044528.GD3661@xxxxxxxxxxxxxxxxx> |
|
Sender: |
xen-devel-bounces@xxxxxxxxxxxxxxxxxxx |
|
User-agent: |
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110428 Fedora/3.1.10-1.fc15 Lightning/1.0b3pre Thunderbird/3.1.10 |
On 06/02/2011 09:45 PM, Dan Carpenter wrote:
> b->args[] has MC_ARGS elements, so the comparison here should be
> ">=" instead of ">". Otherwise we read past the end of the array
> one space.
Yeah, looks like a correct fix. Fortunately I don't think anything
currently hits that path in practice, though there are some pending
patches which will exercise it more.
Thanks,
J
> Signed-off-by: Dan Carpenter <error27@xxxxxxxxx>
> ---
> This is a static checker patch and I haven't tested it. Please
> review carefully.
>
> diff --git a/arch/x86/xen/multicalls.c b/arch/x86/xen/multicalls.c
> index 8bff7e7..1b2b73f 100644
> --- a/arch/x86/xen/multicalls.c
> +++ b/arch/x86/xen/multicalls.c
> @@ -189,10 +189,10 @@ struct multicall_space __xen_mc_entry(size_t args)
> unsigned argidx = roundup(b->argidx, sizeof(u64));
>
> BUG_ON(preemptible());
> - BUG_ON(b->argidx > MC_ARGS);
> + BUG_ON(b->argidx >= MC_ARGS);
>
> if (b->mcidx == MC_BATCH ||
> - (argidx + args) > MC_ARGS) {
> + (argidx + args) >= MC_ARGS) {
> mc_stats_flush(b->mcidx == MC_BATCH ? FL_SLOTS : FL_ARGS);
> xen_mc_flush();
> argidx = roundup(b->argidx, sizeof(u64));
> @@ -206,7 +206,7 @@ struct multicall_space __xen_mc_entry(size_t args)
> ret.args = &b->args[argidx];
> b->argidx = argidx + args;
>
> - BUG_ON(b->argidx > MC_ARGS);
> + BUG_ON(b->argidx >= MC_ARGS);
> return ret;
> }
>
> @@ -216,7 +216,7 @@ struct multicall_space xen_mc_extend_args(unsigned long
> op, size_t size)
> struct multicall_space ret = { NULL, NULL };
>
> BUG_ON(preemptible());
> - BUG_ON(b->argidx > MC_ARGS);
> + BUG_ON(b->argidx >= MC_ARGS);
>
> if (b->mcidx == 0)
> return ret;
> @@ -224,14 +224,14 @@ struct multicall_space xen_mc_extend_args(unsigned long
> op, size_t size)
> if (b->entries[b->mcidx - 1].op != op)
> return ret;
>
> - if ((b->argidx + size) > MC_ARGS)
> + if ((b->argidx + size) >= MC_ARGS)
> return ret;
>
> ret.mc = &b->entries[b->mcidx - 1];
> ret.args = &b->args[b->argidx];
> b->argidx += size;
>
> - BUG_ON(b->argidx > MC_ARGS);
> + BUG_ON(b->argidx >= MC_ARGS);
> return ret;
> }
>
> _______________________________________________
> Virtualization mailing list
> Virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx
> https://lists.linux-foundation.org/mailman/listinfo/virtualization
>
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
|
|
| |
|
Home