This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] [PATCH] xenbus: fix possible crash in xenbus_uevent_back

To: Olaf Hering <olaf@xxxxxxxxx>
Subject: Re: [Xen-devel] [PATCH] xenbus: fix possible crash in xenbus_uevent_backend
From: Ian Campbell <Ian.Campbell@xxxxxxxxxx>
Date: Mon, 18 Jul 2011 14:11:24 +0100
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Mon, 18 Jul 2011 06:11:55 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20110718124059.GA7893@xxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Organization: Citrix Systems, Inc.
References: <20110718124059.GA7893@xxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
On Mon, 2011-07-18 at 13:40 +0100, Olaf Hering wrote:
> Fix possible NULL pointer crash in xenbus_uevent_backend().
> The variable to check for should probably be bus.
> Signed-off-by: Olaf Hering <olaf@xxxxxxxxx>
> Index: linux-3.0-rc7-xen-kexec/drivers/xen/xenbus/xenbus_probe_backend.c
> ===================================================================
> --- linux-3.0-rc7-xen-kexec.orig/drivers/xen/xenbus/xenbus_probe_backend.c
> +++ linux-3.0-rc7-xen-kexec/drivers/xen/xenbus/xenbus_probe_backend.c
> @@ -104,7 +104,7 @@ static int xenbus_uevent_backend(struct
>       xdev = to_xenbus_device(dev);
>       bus = container_of(xdev->dev.bus, struct xen_bus_type, bus);
> -     if (xdev == NULL)
> +     if (bus == NULL)
>               return -ENODEV;

Is this fixing an actual crash which you observed of just something you
noticed looking at the code?

container_of is pure pointer arithmetic without dereferencing so to get
bus == NULL you'd need xdev == offsetof(struct xen_bus_type, bus) or
some such.

I think the check of xdev is correct, although it might be clearer if it
preceded the "bus = ... " it's not actively harmful where it is since
container_of doesn't dereference the pointer.


Xen-devel mailing list