This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-changelog] [xen-unstable] libxc: Check full range of pfns for xc_do

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-unstable] libxc: Check full range of pfns for xc_dom_pfn_to_ptr
From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 03 Feb 2010 01:55:28 -0800
Delivery-date: Wed, 03 Feb 2010 01:57:37 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1265190340 0
# Node ID 02107eca8fb7e8acc6332a67e0781414ad71eeeb
# Parent  b48b5e68847004aeed118d8941cb4b95578eb2e5
libxc: Check full range of pfns for xc_dom_pfn_to_ptr

Previously, passing a valid pfn but an overly large count to
xc_dom_pfn_to_ptr, and functions which call it, would run off the end
of the pfn array giving undefined behaviour.

It is tempting to change this check to an assert, as no callers should
be providing invalid parameters here.  But this is probably best not
done while frozen for 4.0.

Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
 tools/libxc/xc_dom_core.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletion(-)

diff -r b48b5e688470 -r 02107eca8fb7 tools/libxc/xc_dom_core.c
--- a/tools/libxc/xc_dom_core.c Wed Feb 03 09:45:25 2010 +0000
+++ b/tools/libxc/xc_dom_core.c Wed Feb 03 09:45:40 2010 +0000
@@ -288,7 +288,9 @@ void *xc_dom_pfn_to_ptr(struct xc_dom_im
     unsigned int page_shift = XC_DOM_PAGE_SHIFT(dom);
     char *mode = "unset";
-    if ( pfn > dom->total_pages )
+    if ( pfn > dom->total_pages ||    /* multiple checks to avoid overflows */
+         count > dom->total_pages ||
+         pfn > dom->total_pages - count )
         xc_dom_printf("%s: pfn out of range (0x%" PRIpfn " > 0x%" PRIpfn ")\n",
                       __FUNCTION__, pfn, dom->total_pages);

Xen-changelog mailing list

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-unstable] libxc: Check full range of pfns for xc_dom_pfn_to_ptr, Xen patchbot-unstable <=