[Xen-changelog] [linux-2.6.18-xen] Avoid theoretical TOCTTOU bug in block backend nr_segments checking.

["Xen patchbot-linux-2.6.18-xen" <patchbot-linux-2.6.18-xen@xxxxxxxxxxxxxxxxxxx>]

# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1210670928 -3600
# Node ID 3044873a84b70e7bbae977037ef97fe18670e166
# Parent  29b8c3f366031a6f047777da6be0bed9b307ad5a
Avoid theoretical TOCTTOU bug in block backend nr_segments checking.

Based on a patch by Steven Smith <steven.smith@xxxxxxxxxx>

Signed-off-by: Keir Fraser <keir.fraser@xxxxxxxxxx>
---
 drivers/xen/blkback/blkback.c |    3 +++
 drivers/xen/blktap/blktap.c   |    3 +++
 include/xen/blkif.h           |   10 ++++++----
 3 files changed, 12 insertions(+), 4 deletions(-)

diff -r 29b8c3f36603 -r 3044873a84b7 drivers/xen/blkback/blkback.c
--- a/drivers/xen/blkback/blkback.c     Tue May 13 09:32:00 2008 +0100
+++ b/drivers/xen/blkback/blkback.c     Tue May 13 10:28:48 2008 +0100
@@ -343,6 +343,9 @@ static int do_block_io_op(blkif_t *blkif
                        BUG();
                }
                blk_rings->common.req_cons = ++rc; /* before make_response() */
+
+               /* Apply all sanity checks to /private copy/ of request. */
+               barrier();
 
                switch (req.operation) {
                case BLKIF_OP_READ:
diff -r 29b8c3f36603 -r 3044873a84b7 drivers/xen/blktap/blktap.c
--- a/drivers/xen/blktap/blktap.c       Tue May 13 09:32:00 2008 +0100
+++ b/drivers/xen/blktap/blktap.c       Tue May 13 10:28:48 2008 +0100
@@ -1264,6 +1264,9 @@ static int do_block_io_op(blkif_t *blkif
                }
                blk_rings->common.req_cons = ++rc; /* before make_response() */
 
+               /* Apply all sanity checks to /private copy/ of request. */
+               barrier();
+
                switch (req.operation) {
                case BLKIF_OP_READ:
                        blkif->st_rd_req++;
diff -r 29b8c3f36603 -r 3044873a84b7 include/xen/blkif.h
--- a/include/xen/blkif.h       Tue May 13 09:32:00 2008 +0100
+++ b/include/xen/blkif.h       Tue May 13 10:28:48 2008 +0100
@@ -98,8 +98,9 @@ static void inline blkif_get_x86_32_req(
        dst->handle = src->handle;
        dst->id = src->id;
        dst->sector_number = src->sector_number;
-       if (n > src->nr_segments)
-               n = src->nr_segments;
+       barrier();
+       if (n > dst->nr_segments)
+               n = dst->nr_segments;
        for (i = 0; i < n; i++)
                dst->seg[i] = src->seg[i];
 }
@@ -112,8 +113,9 @@ static void inline blkif_get_x86_64_req(
        dst->handle = src->handle;
        dst->id = src->id;
        dst->sector_number = src->sector_number;
-       if (n > src->nr_segments)
-               n = src->nr_segments;
+       barrier();
+       if (n > dst->nr_segments)
+               n = dst->nr_segments;
        for (i = 0; i < n; i++)
                dst->seg[i] = src->seg[i];
 }

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog