[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 6/6] domctl/vNUMA: avoid arithmetic overflow

On Wed, Feb 05, 2020 at 02:17:02PM +0100, Jan Beulich wrote:
> Checking the result of a multiplication against a certain limit has no
> sufficient implication on the original value's range. In the case here
> it is in particular problematic that while handling the domctl we do
>     if ( copy_from_guest(info->vdistance, uinfo->vdistance,
>                          nr_vnodes * nr_vnodes) )
>         goto vnuma_fail;
> which means copying sizeof(unsigned int) * (nr_vnodes * nr_vnodes)
> bytes, and the handling of XENMEM_get_vnumainfo similarly has
>         tmp.vdistance = xmalloc_array(unsigned int, dom_vnodes * dom_vnodes);
> which means allocating sizeof(unsigned int) * (dom_vnodes * dom_vnodes)
> bytes, whereas in then goes on doing this:
>         memcpy(tmp.vdistance, d->vnuma->vdistance,
>                sizeof(*d->vnuma->vdistance) * dom_vnodes * dom_vnodes);
> Note the lack of parentheses in the multiplication expression.
> Adjust the overflow check, moving the must-not-be-zero one right next to
> it to avoid questions on whether there might be division by zero.
> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>

Reviewed-by: Wei Liu <wl@xxxxxxx>

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.