xen-changelog

[Top] [All Lists]

[Xen-changelog] [xen-unstable] minios: fix a memory corruption in blkfro

from [Xen patchbot-unstable]

[Permanent Link][Original]

To:	xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject:	[Xen-changelog] [xen-unstable] minios: fix a memory corruption in blkfront
From:	Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date:	Wed, 15 Apr 2009 05:55:18 -0700
Delivery-date:	Wed, 15 Apr 2009 05:55:55 -0700
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
List-help:	<mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id:	BK change log <xen-changelog.lists.xensource.com>
List-post:	<mailto:xen-changelog@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to:	xen-devel@xxxxxxxxxxxxxxxxxxx
Sender:	xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx

# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1239704505 -3600
# Node ID cbaae05c2902739b789b8aa21ddedd0bdbb1ebb0
# Parent  0108af6efdaeec041676f2dc00ad8327e95f1267
minios: fix a memory corruption in blkfront

The corruption happens every time we pass a sector aligned buffer
(instead of a page aligned buffer) to blkfront_aio. To trigger the COW
we have to write at least a byte to each page of the buffer, but we
must be careful not to overwrite useful content.

Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
---
 extras/mini-os/blkfront.c |   14 ++++++++------
 1 files changed, 8 insertions(+), 6 deletions(-)

diff -r 0108af6efdae -r cbaae05c2902 extras/mini-os/blkfront.c
--- a/extras/mini-os/blkfront.c Tue Apr 14 11:20:55 2009 +0100
+++ b/extras/mini-os/blkfront.c Tue Apr 14 11:21:45 2009 +0100
@@ -317,19 +317,21 @@ void blkfront_aio(struct blkfront_aiocb 
     req->sector_number = aiocbp->aio_offset / dev->info.sector_size;
 
     for (j = 0; j < n; j++) {
+        req->seg[j].first_sect = 0;
+        req->seg[j].last_sect = PAGE_SIZE / dev->info.sector_size - 1;
+    }
+    req->seg[0].first_sect = ((uintptr_t)aiocbp->aio_buf & ~PAGE_MASK) / 
dev->info.sector_size;
+    req->seg[n-1].last_sect = (((uintptr_t)aiocbp->aio_buf + 
aiocbp->aio_nbytes - 1) & ~PAGE_MASK) / dev->info.sector_size;
+    for (j = 0; j < n; j++) {
        uintptr_t data = start + j * PAGE_SIZE;
         if (!write) {
             /* Trigger CoW if needed */
-            *(char*)data = 0;
+            *(char*)(data + (req->seg[j].first_sect << 9)) = 0;
             barrier();
         }
        aiocbp->gref[j] = req->seg[j].gref =
             gnttab_grant_access(dev->dom, virtual_to_mfn(data), write);
-       req->seg[j].first_sect = 0;
-       req->seg[j].last_sect = PAGE_SIZE / dev->info.sector_size - 1;
-    }
-    req->seg[0].first_sect = ((uintptr_t)aiocbp->aio_buf & ~PAGE_MASK) / 
dev->info.sector_size;
-    req->seg[n-1].last_sect = (((uintptr_t)aiocbp->aio_buf + 
aiocbp->aio_nbytes - 1) & ~PAGE_MASK) / dev->info.sector_size;
+    }
 
     dev->ring.req_prod_pvt = i + 1;
 

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Xen-changelog] [xen-unstable] minios: fix a memory corruption in blkfront, Xen patchbot-unstable <=

Previous by Date:	[Xen-changelog] [xen-unstable] Fix cpufreq HW-ALL coordination handle, Xen patchbot-unstable
Next by Date:	[Xen-changelog] [xen-unstable] merge with xen-unstable.hg, Xen patchbot-unstable
Previous by Thread:	[Xen-changelog] [xen-unstable] Fix cpufreq HW-ALL coordination handle, Xen patchbot-unstable
Next by Thread:	[Xen-changelog] [xen-unstable] merge with xen-unstable.hg, Xen patchbot-unstable
Indexes:	[Date] [Thread] [Top] [All Lists]