[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 6/6] domctl/vNUMA: avoid arithmetic overflow
On Wed, Feb 05, 2020 at 02:17:02PM +0100, Jan Beulich wrote: > Checking the result of a multiplication against a certain limit has no > sufficient implication on the original value's range. In the case here > it is in particular problematic that while handling the domctl we do > > if ( copy_from_guest(info->vdistance, uinfo->vdistance, > nr_vnodes * nr_vnodes) ) > goto vnuma_fail; > > which means copying sizeof(unsigned int) * (nr_vnodes * nr_vnodes) > bytes, and the handling of XENMEM_get_vnumainfo similarly has > > tmp.vdistance = xmalloc_array(unsigned int, dom_vnodes * dom_vnodes); > > which means allocating sizeof(unsigned int) * (dom_vnodes * dom_vnodes) > bytes, whereas in then goes on doing this: > > memcpy(tmp.vdistance, d->vnuma->vdistance, > sizeof(*d->vnuma->vdistance) * dom_vnodes * dom_vnodes); > > Note the lack of parentheses in the multiplication expression. > > Adjust the overflow check, moving the must-not-be-zero one right next to > it to avoid questions on whether there might be division by zero. > > Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> Reviewed-by: Wei Liu <wl@xxxxxxx> _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |