This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] out of bounds handling for get_mfn_from_gpfn()

To: "Jan Beulich" <jbeulich@xxxxxxxxxx>
Subject: Re: [Xen-devel] out of bounds handling for get_mfn_from_gpfn()
From: Keir Fraser <Keir.Fraser@xxxxxxxxxxxx>
Date: Wed, 26 Apr 2006 13:44:36 +0100
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 26 Apr 2006 05:48:42 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <444F7D2C.76E4.0078.0@xxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <444F7D2C.76E4.0078.0@xxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx

On 26 Apr 2006, at 13:01, Jan Beulich wrote:

- add a bounds check to get_mfn_from_gpfn() (in which case I'd be uncertain what the correct boundary is, since on 64 bits (RO_MPT_VIRT_END - RO_MPT_VIRT_START) != (RDWR_MPT_VIRT_END - RDWR_MPT_VIRT_START), and only one of the two ranges
can be the correct one)

A range check is needed as the function can be passed unvalidated values from a guest.

The tables you mention above are not involved in get_mfn_from_gpfn() -- they translate the other way. The input gpfn either needs testing against, or masking with, (PADDR_MASK >> PAGE_SHIFT). We should always ensure that the m2p and p2m tables are big enough to be indexed by that value.

I don't think that the mfn-to-gpfn direction needs a check, but an assertion might be worthwhile.

 -- Keir

Xen-devel mailing list