|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-unstable] libxc: Check full range of pfns for xc_dom_pfn_to_ptr
# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1265190340 0
# Node ID 02107eca8fb7e8acc6332a67e0781414ad71eeeb
# Parent b48b5e68847004aeed118d8941cb4b95578eb2e5
libxc: Check full range of pfns for xc_dom_pfn_to_ptr
Previously, passing a valid pfn but an overly large count to
xc_dom_pfn_to_ptr, and functions which call it, would run off the end
of the pfn array giving undefined behaviour.
It is tempting to change this check to an assert, as no callers should
be providing invalid parameters here. But this is probably best not
done while frozen for 4.0.
Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
---
tools/libxc/xc_dom_core.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletion(-)
diff -r b48b5e688470 -r 02107eca8fb7 tools/libxc/xc_dom_core.c
--- a/tools/libxc/xc_dom_core.c Wed Feb 03 09:45:25 2010 +0000
+++ b/tools/libxc/xc_dom_core.c Wed Feb 03 09:45:40 2010 +0000
@@ -288,7 +288,9 @@ void *xc_dom_pfn_to_ptr(struct xc_dom_im
unsigned int page_shift = XC_DOM_PAGE_SHIFT(dom);
char *mode = "unset";
- if ( pfn > dom->total_pages )
+ if ( pfn > dom->total_pages || /* multiple checks to avoid overflows */
+ count > dom->total_pages ||
+ pfn > dom->total_pages - count )
{
xc_dom_printf("%s: pfn out of range (0x%" PRIpfn " > 0x%" PRIpfn ")\n",
__FUNCTION__, pfn, dom->total_pages);
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |