WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-changelog

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-changelog] [linux-2.6.18-xen] Avoid theoretical TOCTTOU bug in bloc

from [Xen patchbot-linux-2.6.18-xen] [Permanent Link][Original]
To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [linux-2.6.18-xen] Avoid theoretical TOCTTOU bug in block backend nr_segments checking.
From: "Xen patchbot-linux-2.6.18-xen" <patchbot-linux-2.6.18-xen@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 13 May 2008 08:30:35 -0700
Delivery-date: Tue, 13 May 2008 08:31:24 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx 
# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1210670928 -3600
# Node ID 3044873a84b70e7bbae977037ef97fe18670e166
# Parent  29b8c3f366031a6f047777da6be0bed9b307ad5a
Avoid theoretical TOCTTOU bug in block backend nr_segments checking.

Based on a patch by Steven Smith <steven.smith@xxxxxxxxxx>

Signed-off-by: Keir Fraser <keir.fraser@xxxxxxxxxx>
---
 drivers/xen/blkback/blkback.c |    3 +++
 drivers/xen/blktap/blktap.c   |    3 +++
 include/xen/blkif.h           |   10 ++++++----
 3 files changed, 12 insertions(+), 4 deletions(-)

diff -r 29b8c3f36603 -r 3044873a84b7 drivers/xen/blkback/blkback.c
--- a/drivers/xen/blkback/blkback.c     Tue May 13 09:32:00 2008 +0100
+++ b/drivers/xen/blkback/blkback.c     Tue May 13 10:28:48 2008 +0100
@@ -343,6 +343,9 @@ static int do_block_io_op(blkif_t *blkif
                        BUG();
                }
                blk_rings->common.req_cons = ++rc; /* before make_response() */
+
+               /* Apply all sanity checks to /private copy/ of request. */
+               barrier();
 
                switch (req.operation) {
                case BLKIF_OP_READ:
diff -r 29b8c3f36603 -r 3044873a84b7 drivers/xen/blktap/blktap.c
--- a/drivers/xen/blktap/blktap.c       Tue May 13 09:32:00 2008 +0100
+++ b/drivers/xen/blktap/blktap.c       Tue May 13 10:28:48 2008 +0100
@@ -1264,6 +1264,9 @@ static int do_block_io_op(blkif_t *blkif
                }
                blk_rings->common.req_cons = ++rc; /* before make_response() */
 
+               /* Apply all sanity checks to /private copy/ of request. */
+               barrier();
+
                switch (req.operation) {
                case BLKIF_OP_READ:
                        blkif->st_rd_req++;
diff -r 29b8c3f36603 -r 3044873a84b7 include/xen/blkif.h
--- a/include/xen/blkif.h       Tue May 13 09:32:00 2008 +0100
+++ b/include/xen/blkif.h       Tue May 13 10:28:48 2008 +0100
@@ -98,8 +98,9 @@ static void inline blkif_get_x86_32_req(
        dst->handle = src->handle;
        dst->id = src->id;
        dst->sector_number = src->sector_number;
-       if (n > src->nr_segments)
-               n = src->nr_segments;
+       barrier();
+       if (n > dst->nr_segments)
+               n = dst->nr_segments;
        for (i = 0; i < n; i++)
                dst->seg[i] = src->seg[i];
 }
@@ -112,8 +113,9 @@ static void inline blkif_get_x86_64_req(
        dst->handle = src->handle;
        dst->id = src->id;
        dst->sector_number = src->sector_number;
-       if (n > src->nr_segments)
-               n = src->nr_segments;
+       barrier();
+       if (n > dst->nr_segments)
+               n = dst->nr_segments;
        for (i = 0; i < n; i++)
                dst->seg[i] = src->seg[i];
 }

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [linux-2.6.18-xen] Avoid theoretical TOCTTOU bug in block backend nr_segments checking., Xen patchbot-linux-2.6.18-xen <=
Previous by Date:  [Xen-changelog] [linux-2.6.18-xen] xen: Cleanup of MSI code, Xen patchbot-linux-2.6.18-xen
Next by Date:  [Xen-changelog] [xen-3.2-testing] libxc foreign address translation bug, Xen patchbot-3.2-testing
Previous by Thread:  [Xen-changelog] [linux-2.6.18-xen] xen: Cleanup of MSI code, Xen patchbot-linux-2.6.18-xen
Next by Thread:  [Xen-changelog] [xen-3.2-testing] libxc foreign address translation bug, Xen patchbot-3.2-testing
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy