WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel] [PATCH]mini-os: Bug in allocate_xenbus_id()

To: Grzegorz Milos <gm281@xxxxxxxxx>
Subject: [Xen-devel] [PATCH]mini-os: Bug in allocate_xenbus_id()
From: Dietmar Hahn <dietmar.hahn@xxxxxxxxxxxxxxxxxxx>
Date: Mon, 19 Feb 2007 10:47:14 +0100
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 19 Feb 2007 01:46:34 -0800
Domainkey-signature: s=s768; d=fujitsu-siemens.com; c=nofws; q=dns; b=DGqBTw8JyPS+vlRH/EZt5iAIVuY0st/Xxe0Es2zYBRboHPwMG8KWYjB1iaJ7hHdzPZEKFh7u26h7jXR55PLTJjuLVreLtvRgwzgD25TVHpW9aDqj9xhryeb7zkZr9Rb9;
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <F0F75DE2-9006-4A99-BFF5-F291C4790434@xxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <200702060803.21254.dietmar.hahn@xxxxxxxxxxxxxxxxxxx> <200702121136.50332.dietmar.hahn@xxxxxxxxxxxxxxxxxxx> <F0F75DE2-9006-4A99-BFF5-F291C4790434@xxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.9.5
Hi Gregor,

in allocate_xenbus_id() the static variable probe never gets reset.
Therewidth id's >= NR_REQS are possible, which lead to an overflow in
req_info[] and may crash the  mini-os.
Thanks.

Dietmar

Signed-off-by: Dietmar Hahn <dietmar.hahn@xxxxxxxxxxxxxxxxxxx>

# HG changeset patch
# User dietmar.hahn@xxxxxxxxxxxxxxxxxxx
# Date 1171877953 -3600
# Node ID 3d04558ad3d7e3811ac8c827bb876858bbb1c415
# Parent  b5fc88aad1b0eb35d12e503982c70fdc27f0544a
Because probe never gets decremented (or reset), id >= NR_REQS is possible, 
which may lead to a crash.

diff -r b5fc88aad1b0 -r 3d04558ad3d7 extras/mini-os/xenbus/xenbus.c
--- a/extras/mini-os/xenbus/xenbus.c    Sun Feb 18 15:29:40 2007 +0000
+++ b/extras/mini-os/xenbus/xenbus.c    Mon Feb 19 10:39:13 2007 +0100
@@ -210,7 +210,7 @@ static int allocate_xenbus_id(void)
     }
     nr_live_reqs++;
     req_info[o_probe].in_use = 1;
-    probe = o_probe + 1;
+    probe = (o_probe + 1) % NR_REQS;
     spin_unlock(&req_lock);
     init_waitqueue_head(&req_info[o_probe].waitq);


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel