# HG changeset patch
# User Keir Fraser <keir@xxxxxxxxxxxxx>
# Date 1192714803 -3600
# Node ID f25ece9e1af409b4f6e5fa9836be680c5876b90d
# Parent cb6254fd69136b0b0d8b71e75d1a7435c8433a52
libxc: Avoid overflow in xc_domain_dumpcore_via_callback().
nr_pages*PAGE_SIZE can overflow a 32-bit long.
From: Daisuke Nishimura <nishimura@xxxxxxxxxxxxxxxxx>
Signed-off-by: Keir Fraser <keir@xxxxxxxxxxxxx>
xen-unstable changeset: 16111:c19c51317eebe8e852dd4ad90ca19880397fa3b4
xen-unstable date: Mon Oct 15 12:20:43 2007 +0100
---
tools/libxc/xc_core.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff -r cb6254fd6913 -r f25ece9e1af4 tools/libxc/xc_core.c
--- a/tools/libxc/xc_core.c Thu Oct 18 09:59:20 2007 +0100
+++ b/tools/libxc/xc_core.c Thu Oct 18 14:40:03 2007 +0100
@@ -580,7 +580,7 @@ xc_domain_dumpcore_via_callback(int xc_h
}
if ( !auto_translated_physmap )
{
- filesz = nr_pages * sizeof(p2m_array[0]);
+ filesz = (uint64_t)nr_pages * sizeof(p2m_array[0]);
sts = xc_core_shdr_set(shdr, strtab, XEN_DUMPCORE_SEC_P2M,
SHT_PROGBITS,
offset, filesz, __alignof__(p2m_array[0]),
@@ -590,7 +590,7 @@ xc_domain_dumpcore_via_callback(int xc_h
}
else
{
- filesz = nr_pages * sizeof(pfn_array[0]);
+ filesz = (uint64_t)nr_pages * sizeof(pfn_array[0]);
sts = xc_core_shdr_set(shdr, strtab, XEN_DUMPCORE_SEC_PFN,
SHT_PROGBITS,
offset, filesz, __alignof__(pfn_array[0]),
@@ -620,7 +620,7 @@ xc_domain_dumpcore_via_callback(int xc_h
dummy_len = ROUNDUP(offset, PAGE_SHIFT) - offset; /* padding length */
offset += dummy_len;
- filesz = nr_pages * PAGE_SIZE;
+ filesz = (uint64_t)nr_pages * PAGE_SIZE;
sts = xc_core_shdr_set(shdr, strtab, XEN_DUMPCORE_SEC_PAGES, SHT_PROGBITS,
offset, filesz, PAGE_SIZE, PAGE_SIZE);
if ( sts != 0 )
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|