[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH for-4.22] dom0less: Prevent division by zero in handle_passthrough_prop()


  • To: Dmytro Prokopchuk1 <dmytro_prokopchuk1@xxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>
  • From: "Orzel, Michal" <michal.orzel@xxxxxxx>
  • Date: Thu, 9 Jul 2026 11:43:59 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=epam.com smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=76a5sYqenz7eXKb6nlRklAPVHPeXXn+8yt038HKBkeQ=; b=wWJRmxwNlWc5/kiuzVO3Vy3KiURKoQbH7/AIMVBRgiI0bRiQtharTZqqvU5DieWIFxJDW6YOiHgZ3mbBceOlE8gBfpzKcbkClRj0EL0JV4DMAfFPe4tJpLRy65Fw+RikX4oP74tmw9D+2kXGxmX/c9QLOOnvl5E3NIcDWxY+ng2/Uxfjiz21Pqo9U7qaIrt0QXfkvGd4stv1r+4Gr/SFAL7JJRX9QCSQqrNFL9YxXPrYQ7rSorGPCHD9MR+kVa60hKqrwWnaDXtdPi0qGkhcoH+A4cN8YXAse6KBEk+s8XP789Vl8MyV1e1xR0c08FOXGqis40xYbuyurgdE/wOgHw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=u60MiRfufEN7TZStImgy84qqwTb6XX9oigTH0TMWYQ1Wt0Tvwqc4JSbAJTUZZifHr1284dkPD4Bntw9FVGIH4z2XlI9RqcJ0T8w5XLaS8GX6N0CkRPhc2/LEhdWYP24l8GeaHeIOcHgC3H2UDBoPRVwSkPW3EBgY+wkDaJ6ED67KWGnM7xX5LVkUoCJLJjEteGWPD859nbrZrcxdpZPVuLIb/mBCqmOGq5Sj/idVC2o7y4jq1bnUJElB+JIx3cKKn6bou8CkcBnpvy0PdQd8lJM0J4/0vtbi3SqwBySVk1muF0HpFib4X8tXQFsn9m2eD33io6YW/R0wW24PFCu9Zw==
  • Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=amd.com header.i="@amd.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"
  • Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, "Oleksii Kurochko" <oleksii.kurochko@xxxxxxxxx>
  • Delivery-date: Thu, 09 Jul 2026 09:44:15 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>


On 09-Jul-26 11:39, Dmytro Prokopchuk1 wrote:
> 
> 
> On 7/9/26 10:51, Orzel, Michal wrote:
>>
>>
>> On 09-Jul-26 08:57, Jan Beulich wrote:
>>> On 08.07.2026 19:04, Dmytro Prokopchuk1 wrote:
>>>> Hello Jan,
>>>>
>>>> On 7/8/26 09:15, Jan Beulich wrote:
>>>>> On 07.07.2026 18:08, Oleksii Kurochko wrote:
>>>>>> On 7/7/26 5:16 PM, Dmytro Prokopchuk1 wrote:
>>>>>>> --- a/xen/common/device-tree/dom0less-build.c
>>>>>>> +++ b/xen/common/device-tree/dom0less-build.c
>>>>>>> @@ -154,6 +154,13 @@ static int __init handle_passthrough_prop(struct 
>>>>>>> kernel_info *kinfo,
>>>>>>>     
>>>>>>>         /* xen,reg specifies where to map the MMIO region */
>>>>>>>         cell = (const __be32 *)xen_reg->data;
>>>>>>> +
>>>>>>> +    if ( (address_cells * 2 + size_cells) == 0 )
>>>>>>
>>>>>> Considering that this calculation happens second time here ...
>>>>>>
>>>>>>> +    {
>>>>>>> +        printk(XENLOG_ERR "Invalid address/size cells combination 
>>>>>>> (both 0)\n");
>>>>>>> +        return -EINVAL;
>>>>>>> +    }
>>>>>>> +
>>>>>>>         len = fdt32_to_cpu(xen_reg->len) / ((address_cells * 2 + 
>>>>>>> size_cells) *
>>>>>>>                                             sizeof(uint32_t));
>>>>>>
>>>>>> ... I think it would be nice to calculate that once.
>>>>>
>>>>> Hmm, originally I meant to simply stay silent here. But now that you say 
>>>>> this,
>>>>> I'd like to express that I find this 2nd calculation of the same 
>>>>> expression
>>>>> bogus. If the goal is to deal with both values being zero at the same 
>>>>> time,
>>>>> check that (and nothing else). If instead the goal is to truly prevent the
>>>>> divisor expression from ending up 0, that (and not a shorter surrogate) 
>>>>> would
>>>>> need checking. In particular, the multiplication by sizeof(uint32_t) can
>>>>> convert non-zero to zero.
>>>> Yes, you are right. Need to check whole expression.
>>>>>
>>>>> At that point the question then would be whether overflow (and hence
>>>>> truncation) in any of the involved expressions shouldn't also be detected 
>>>>> /
>>>>> rejected.
>>>> Testing zero is useful, but not enough - the expression (address_cells *
>>>> 2 + size_cells) * sizeof(*cell) can overflow and wrap around to a small,
>>>> non-zero number. Source code analyze showed that Xen only supports cell
>>>> sizes of 1 or 2, and there is a ASSERT_UNREACHABLE() in dt_read_number()
>>>> which prevents from using wrong cell values in DEBUG builds.
>>>>
>>>> I would propose the next checking:
>>>>
>>>>       if ( address_cells < 1 || address_cells > 2 ||
>>>>            size_cells < 1 || size_cells > 2 )
>>>>       {
>>>>           printk(XENLOG_ERR "Invalid address/size cells combination\n");
>>>>           return -EINVAL;
>>>>       }
>>>>
>>>> This will cover zero check, and overflows.
>>>
>>> It'll need to be the maintainers of this code to judge whether this is
>>> appropriate here.
>> It is but I would prefer to put it at the read side, not at the use side. 
>> Place
>> it in scan_pfdt_node() after `size_cells = device_tree_get_u32`.
>> The first call to scan_pfdt_node() passes defaults, so it is ok.
>>
>> ~Michal
>>
> 
> Hi Michal,
> 
> Nice idea! I'll create v3 for this.
Also, to avoid respins, please put the expressions in brackets.

~Michal




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.