[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IRP buffer access in XENHID

To: paul@xxxxxxx
From: Troy Crosley <troycrosley@xxxxxxxxx>
Date: Fri, 16 Oct 2020 15:33:28 -0400
Cc: Owen Smith <owen.smith@xxxxxxxxxx>, win-pv-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 16 Oct 2020 19:33:42 +0000
List-id: Developer list for the Windows PV Drivers subproject <win-pv-devel.lists.xenproject.org>

Under certain situations, such as when input is being sent during driver install or sleep transition, FdoCsqPeekNextIrp can be called with an empty Fdo->List. In that case, FdoCsqPeekNextIrp dereferences the list head and returns an invalid IRP; it should check for this error condition.

Troy "Owen" Crosley

On Fri, Oct 16, 2020 at 4:05 AM Paul Durrant <xadimgnik@xxxxxxxxx> wrote:

Hi Owen,

In testing Troy's power state handling patch I got a crash, which appears to be because XENHID is directly accessing user memory
in IRP handling (particularly UserBuffer in the hid callback) without probing for access. Is that just an oversight, or is there a
reason not to call ProbeForRead/Write() on the buffers?

Paul

References:
- IRP buffer access in XENHID
  - From: Paul Durrant

Prev by Date: XENHID-master - Build #23 - Successful
Next by Date: [PATCH] Add check for empty List in FdoCsqPeekNextIrp.
Previous by thread: IRP buffer access in XENHID
Next by thread: XENHID-master - Build #23 - Successful
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.