WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-devel] Re: [PATCH]mini-os: Bug in allocate_xenbus_id()

from [Grzegorz Milos] [Permanent Link][Original]
To: Dietmar Hahn <dietmar.hahn@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-devel] Re: [PATCH]mini-os: Bug in allocate_xenbus_id()
From: Grzegorz Milos <gm281@xxxxxxxxx>
Date: Tue, 20 Feb 2007 18:53:16 +0000
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Tue, 20 Feb 2007 10:52:58 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <200702191047.14724.dietmar.hahn@xxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <200702060803.21254.dietmar.hahn@xxxxxxxxxxxxxxxxxxx> <200702121136.50332.dietmar.hahn@xxxxxxxxxxxxxxxxxxx> <F0F75DE2-9006-4A99-BFF5-F291C4790434@xxxxxxxxx> <200702191047.14724.dietmar.hahn@xxxxxxxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 1.5 (X11/20051025) 
That's a good catch. Did you see the bug manifesting itself in practice?

Keir could you apply please?
Thanks.
Gregor

Dietmar Hahn wrote:

Hi Gregor,

in allocate_xenbus_id() the static variable probe never gets reset.
Therewidth id's >= NR_REQS are possible, which lead to an overflow in
req_info[] and may crash the  mini-os.
Thanks.

Dietmar

Signed-off-by: Dietmar Hahn <dietmar.hahn@xxxxxxxxxxxxxxxxxxx>

# HG changeset patch
# User dietmar.hahn@xxxxxxxxxxxxxxxxxxx
# Date 1171877953 -3600
# Node ID 3d04558ad3d7e3811ac8c827bb876858bbb1c415
# Parent  b5fc88aad1b0eb35d12e503982c70fdc27f0544a
Because probe never gets decremented (or reset), id >= NR_REQS is possible, which may lead to a crash. 

diff -r b5fc88aad1b0 -r 3d04558ad3d7 extras/mini-os/xenbus/xenbus.c
--- a/extras/mini-os/xenbus/xenbus.c    Sun Feb 18 15:29:40 2007 +0000
+++ b/extras/mini-os/xenbus/xenbus.c    Mon Feb 19 10:39:13 2007 +0100
@@ -210,7 +210,7 @@ static int allocate_xenbus_id(void)
     }
     nr_live_reqs++;
     req_info[o_probe].in_use = 1;
-    probe = o_probe + 1;
+    probe = (o_probe + 1) % NR_REQS;
     spin_unlock(&req_lock);
     init_waitqueue_head(&req_info[o_probe].waitq);


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-devel] Sles9.3 HVM guest block, Keir Fraser
Next by Date:  Re: [Xen-devel] [PATCH] acm: fix deadlock and bogus loop (Was Re: [Xen-changelog] [xen-unstable] acm: Further fixes after grant-table changes.), Stefan Berger
Previous by Thread:  [Xen-devel] [PATCH]mini-os: Bug in allocate_xenbus_id(), Dietmar Hahn
Next by Thread:  [Xen-devel] Re: [PATCH]mini-os: Bug in allocate_xenbus_id(), Dietmar Hahn
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy