WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel] Re: [patch 1/2] xen-gntalloc: integer overflow in gntalloc_i

To: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Subject: [Xen-devel] Re: [patch 1/2] xen-gntalloc: integer overflow in gntalloc_ioctl_alloc()
From: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
Date: Fri, 4 Nov 2011 14:35:54 -0400
Cc: Jeremy Fitzhardinge <jeremy.fitzhardinge@xxxxxxxxxx>, kernel-janitors@xxxxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxx, virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 04 Nov 2011 11:37:12 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20111104182408.GD5796@xxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <20111104182408.GD5796@xxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.21 (2010-09-15)
On Fri, Nov 04, 2011 at 09:24:08PM +0300, Dan Carpenter wrote:
> On 32 bit systems a high value of op.count could lead to an integer
> overflow in the kzalloc() and gref_ids would be smaller than
> expected.  If the you triggered another integer overflow in
> "if (gref_size + op.count > limit)" then you'd probably get memory
> corruption inside add_grefs().
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

Great! Keep them coming!  Will push for stable and 3.2.

> 
> diff --git a/drivers/xen/gntalloc.c b/drivers/xen/gntalloc.c
> index f6832f4..23c60cf 100644
> --- a/drivers/xen/gntalloc.c
> +++ b/drivers/xen/gntalloc.c
> @@ -280,7 +280,7 @@ static long gntalloc_ioctl_alloc(struct 
> gntalloc_file_private_data *priv,
>               goto out;
>       }
>  
> -     gref_ids = kzalloc(sizeof(gref_ids[0]) * op.count, GFP_TEMPORARY);
> +     gref_ids = kcalloc(op.count, sizeof(gref_ids[0]), GFP_TEMPORARY);
>       if (!gref_ids) {
>               rc = -ENOMEM;
>               goto out;

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

<Prev in Thread] Current Thread [Next in Thread>