[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Re: [patch] xen: off by one errors in multicalls.c



On 06/02/2011 09:45 PM, Dan Carpenter wrote:
> b->args[] has MC_ARGS elements, so the comparison here should be
> ">=" instead of ">".  Otherwise we read past the end of the array
> one space.

Yeah, looks like a correct fix.  Fortunately I don't think anything
currently hits that path in practice, though there are some pending
patches which will exercise it more.

Thanks,
    J

> Signed-off-by: Dan Carpenter <error27@xxxxxxxxx>
> ---
> This is a static checker patch and I haven't tested it.  Please
> review carefully.
>
> diff --git a/arch/x86/xen/multicalls.c b/arch/x86/xen/multicalls.c
> index 8bff7e7..1b2b73f 100644
> --- a/arch/x86/xen/multicalls.c
> +++ b/arch/x86/xen/multicalls.c
> @@ -189,10 +189,10 @@ struct multicall_space __xen_mc_entry(size_t args)
>       unsigned argidx = roundup(b->argidx, sizeof(u64));
>  
>       BUG_ON(preemptible());
> -     BUG_ON(b->argidx > MC_ARGS);
> +     BUG_ON(b->argidx >= MC_ARGS);
>  
>       if (b->mcidx == MC_BATCH ||
> -         (argidx + args) > MC_ARGS) {
> +         (argidx + args) >= MC_ARGS) {
>               mc_stats_flush(b->mcidx == MC_BATCH ? FL_SLOTS : FL_ARGS);
>               xen_mc_flush();
>               argidx = roundup(b->argidx, sizeof(u64));
> @@ -206,7 +206,7 @@ struct multicall_space __xen_mc_entry(size_t args)
>       ret.args = &b->args[argidx];
>       b->argidx = argidx + args;
>  
> -     BUG_ON(b->argidx > MC_ARGS);
> +     BUG_ON(b->argidx >= MC_ARGS);
>       return ret;
>  }
>  
> @@ -216,7 +216,7 @@ struct multicall_space xen_mc_extend_args(unsigned long 
> op, size_t size)
>       struct multicall_space ret = { NULL, NULL };
>  
>       BUG_ON(preemptible());
> -     BUG_ON(b->argidx > MC_ARGS);
> +     BUG_ON(b->argidx >= MC_ARGS);
>  
>       if (b->mcidx == 0)
>               return ret;
> @@ -224,14 +224,14 @@ struct multicall_space xen_mc_extend_args(unsigned long 
> op, size_t size)
>       if (b->entries[b->mcidx - 1].op != op)
>               return ret;
>  
> -     if ((b->argidx + size) > MC_ARGS)
> +     if ((b->argidx + size) >= MC_ARGS)
>               return ret;
>  
>       ret.mc = &b->entries[b->mcidx - 1];
>       ret.args = &b->args[b->argidx];
>       b->argidx += size;
>  
> -     BUG_ON(b->argidx > MC_ARGS);
> +     BUG_ON(b->argidx >= MC_ARGS);
>       return ret;
>  }
>  
> _______________________________________________
> Virtualization mailing list
> Virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx
> https://lists.linux-foundation.org/mailman/listinfo/virtualization
>


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.