[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH for-4.22] dom0less: Prevent division by zero in handle_passthrough_prop()


  • To: Jan Beulich <jbeulich@xxxxxxxx>, Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>
  • From: Dmytro Prokopchuk1 <dmytro_prokopchuk1@xxxxxxxx>
  • Date: Wed, 8 Jul 2026 17:04:44 +0000
  • Accept-language: en-US, uk-UA, ru-RU
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=uikqKhueURthZnybTA74Ibzy5r7ysbLJVb6DmVx4+C0=; b=cm/8O8rDy16/z2oeisYPFm8+7xxXPiz+81f0O3/3XPbXnlD1AEkBdser0wFna2Iw6WOPwhgrrudJQCo/Pt8Xk+axaTW5wU3k8fa9aQI9oWCtPHKGSLZZ+USxRVGR0ODz2k4I5QB+zMjJD+YD3D8g0YI/8JPAcLb3N0wgwEkp6l061bO638fVXWp344MkdU284AaiHOVEBeS/5rw+jwoLPp33SNm97+62h7xYz9dTpD2UVuzN44F3POFPKuRgXTLpkZYKxU/BLZgGXAUcyzls2zt5CpszGy2zxYENlqowY/qEdXpzDdxwsV6t3Y4nTiuZhPre+UU077mYAbgUWLFnUA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=r3jlayRDTQb3ORW2IufTfmVlGYmPh8no6TwWy+N9aBxa5/VgrGbcSU3jqXQrUCMl73ryxG8LKe13Ev0Caxxmw4EtdC53BiDR6BJuHRTXMNbPDQ2WC6QOn9srZu3i1Re255EI6sij9mUs1rJ7ogCsRBEy09bWpr+qXzize0WmGnM9z29srx3Pw6iAUJcajC4lGw0hEkJ4zfx19aNM92apzwvmUQfARg23gEpAKjAEHGeHj+I7afKeQ8U1svExH6LPId8RKkMhYrNmADWwxbB9aK2nesmlHOe9qig9gvR7CK7rq6jSsxBaWv1A3mWjj24Y6OGRR87psYT/gPVqq1JAmw==
  • Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=epam.com header.i="@epam.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:x-ms-exchange-senderadcheck"
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com;
  • Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Wed, 08 Jul 2026 17:05:03 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHdDiOX7r4PlObs6ESPVB8UpORls7ZiOVkAgADswwCAALVbAA==
  • Thread-topic: [PATCH for-4.22] dom0less: Prevent division by zero in handle_passthrough_prop()

Hello Jan,

On 7/8/26 09:15, Jan Beulich wrote:
> On 07.07.2026 18:08, Oleksii Kurochko wrote:
>> On 7/7/26 5:16 PM, Dmytro Prokopchuk1 wrote:
>>> --- a/xen/common/device-tree/dom0less-build.c
>>> +++ b/xen/common/device-tree/dom0less-build.c
>>> @@ -154,6 +154,13 @@ static int __init handle_passthrough_prop(struct 
>>> kernel_info *kinfo,
>>>    
>>>        /* xen,reg specifies where to map the MMIO region */
>>>        cell = (const __be32 *)xen_reg->data;
>>> +
>>> +    if ( (address_cells * 2 + size_cells) == 0 )
>>
>> Considering that this calculation happens second time here ...
>>
>>> +    {
>>> +        printk(XENLOG_ERR "Invalid address/size cells combination (both 
>>> 0)\n");
>>> +        return -EINVAL;
>>> +    }
>>> +
>>>        len = fdt32_to_cpu(xen_reg->len) / ((address_cells * 2 + size_cells) 
>>> *
>>>                                            sizeof(uint32_t));
>>
>> ... I think it would be nice to calculate that once.
> 
> Hmm, originally I meant to simply stay silent here. But now that you say this,
> I'd like to express that I find this 2nd calculation of the same expression
> bogus. If the goal is to deal with both values being zero at the same time,
> check that (and nothing else). If instead the goal is to truly prevent the
> divisor expression from ending up 0, that (and not a shorter surrogate) would
> need checking. In particular, the multiplication by sizeof(uint32_t) can
> convert non-zero to zero.
Yes, you are right. Need to check whole expression.
> 
> At that point the question then would be whether overflow (and hence
> truncation) in any of the involved expressions shouldn't also be detected /
> rejected.
Testing zero is useful, but not enough - the expression (address_cells * 
2 + size_cells) * sizeof(*cell) can overflow and wrap around to a small, 
non-zero number. Source code analyze showed that Xen only supports cell 
sizes of 1 or 2, and there is a ASSERT_UNREACHABLE() in dt_read_number() 
which prevents from using wrong cell values in DEBUG builds.

I would propose the next checking:

     if ( address_cells < 1 || address_cells > 2 ||
          size_cells < 1 || size_cells > 2 )
     {
         printk(XENLOG_ERR "Invalid address/size cells combination\n");
         return -EINVAL;
     }

This will cover zero check, and overflows.
> 
> Finally, as we're already touching on this code: sizeof(uint32_t) also is
> bogus, and it is a good example of why sizeof(<expression>) is to be
> preferred over sizeof(<type>): What's meant here is - afaict - sizeof(*cell),
> i.e. sizeof(__be32). (Imo using sizeof() with the wrong type is worse than
> writing simply 4.)
Ack.
> 
> Jan

BR, Dmytro.

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.