[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH v2 3/3] tmem: fix Out-of-bounds read reported by Coverity

To: xen-devel@xxxxxxxxxxxxxxxxxxxx
From: Bob Liu <lliubbo@xxxxxxxxx>
Date: Wed, 7 May 2014 14:30:50 +0800
Cc: andrew.cooper3@xxxxxxxxxx, keir@xxxxxxx, jbeulich@xxxxxxxx
Delivery-date: Wed, 07 May 2014 06:31:41 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

CID 1198729, CID 1198730 and CID 1198734 complain about
"Out-of-bounds read".

This patch fixes them by casting the 'firstbyte' to (uint8_t), some
unnecessary assertion also be dropped.

Signed-off-by: Bob Liu <bob.liu@xxxxxxxxxx>
Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
 xen/common/tmem.c |   11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/xen/common/tmem.c b/xen/common/tmem.c
index f2dc26e..93235c6 100644
--- a/xen/common/tmem.c
+++ b/xen/common/tmem.c
@@ -399,7 +399,7 @@ static void pcd_disassociate(struct tmem_page_descriptor 
*pgp, struct tmem_pool
 {
     struct tmem_page_content_descriptor *pcd = pgp->pcd;
     struct page_info *pfp = pgp->pcd->pfp;
-    uint16_t firstbyte = pgp->firstbyte;
+    uint8_t firstbyte = pgp->firstbyte;
     char *pcd_tze = pgp->pcd->tze;
     pagesize_t pcd_size = pcd->size;
     pagesize_t pgp_size = pgp->size;
@@ -407,8 +407,6 @@ static void pcd_disassociate(struct tmem_page_descriptor 
*pgp, struct tmem_pool
     pagesize_t pcd_csize = pgp->pcd->size;
 
     ASSERT(tmem_dedup_enabled());
-    ASSERT(firstbyte != NOT_SHAREABLE);
-    ASSERT(firstbyte < 256);
 
     if ( have_pcd_rwlock )
         ASSERT_WRITELOCK(&pcd_tree_rwlocks[firstbyte]);
@@ -1231,7 +1229,7 @@ static bool_t tmem_try_to_evict_pgp(struct 
tmem_page_descriptor *pgp, bool_t *ho
     struct tmem_object_root *obj = pgp->us.obj;
     struct tmem_pool *pool = obj->pool;
     struct client *client = pool->client;
-    uint16_t firstbyte = pgp->firstbyte;
+    uint8_t firstbyte = pgp->firstbyte;
 
     if ( pool->is_dying )
         return 0;
@@ -1239,10 +1237,9 @@ static bool_t tmem_try_to_evict_pgp(struct 
tmem_page_descriptor *pgp, bool_t *ho
     {
         if ( tmem_dedup_enabled() )
         {
-            firstbyte = pgp->firstbyte;
-            if ( firstbyte ==  NOT_SHAREABLE )
+            if ( pgp->firstbyte ==  NOT_SHAREABLE )
                 goto obj_unlock;
-            ASSERT(firstbyte < 256);
+            firstbyte = pgp->firstbyte;
             if ( !write_trylock(&pcd_tree_rwlocks[firstbyte]) )
                 goto obj_unlock;
             if ( pgp->pcd->pgp_ref_count > 1 && !pgp->eviction_attempted )
-- 
1.7.10.4


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH v2 3/3] tmem: fix Out-of-bounds read reported by Coverity
  - From: Jan Beulich

References:
- [Xen-devel] [PATCH v2 1/3] xc/tmem: Free temporary buffer used during migration
  - From: Bob Liu

Prev by Date: [Xen-devel] [PATCH v2 2/3] xc/tmem: Unchecked return value
Next by Date: Re: [Xen-devel] Issue policing writes from Xen to PV domain memory
Previous by thread: Re: [Xen-devel] [PATCH v2 2/3] xc/tmem: Unchecked return value
Next by thread: Re: [Xen-devel] [PATCH v2 3/3] tmem: fix Out-of-bounds read reported by Coverity
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.