|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-3.4-testing] libxc: Check full range of pfns for xc_dom_pfn_to_ptr
# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1265625247 0
# Node ID 11c5101f526708ec8a7118329e07bb1fffa9eca4
# Parent 35a62fbdb74d621d2b629fcfda5d871431650729
libxc: Check full range of pfns for xc_dom_pfn_to_ptr
Previously, passing a valid pfn but an overly large count to
xc_dom_pfn_to_ptr, and functions which call it, would run off the end
of the pfn array giving undefined behaviour.
It is tempting to change this check to an assert, as no callers should
be providing invalid parameters here. But this is probably best not
done while frozen for 4.0.
Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
xen-unstable changeset: 20888:02107eca8fb7
xen-unstable date: Wed Feb 03 09:45:40 2010 +0000
---
tools/libxc/xc_dom_core.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletion(-)
diff -r 35a62fbdb74d -r 11c5101f5267 tools/libxc/xc_dom_core.c
--- a/tools/libxc/xc_dom_core.c Wed Feb 03 09:53:37 2010 +0000
+++ b/tools/libxc/xc_dom_core.c Mon Feb 08 10:34:07 2010 +0000
@@ -288,7 +288,9 @@ void *xc_dom_pfn_to_ptr(struct xc_dom_im
unsigned int page_shift = XC_DOM_PAGE_SHIFT(dom);
char *mode = "unset";
- if ( pfn > dom->total_pages )
+ if ( pfn > dom->total_pages || /* multiple checks to avoid overflows */
+ count > dom->total_pages ||
+ pfn > dom->total_pages - count )
{
xc_dom_printf("%s: pfn out of range (0x%" PRIpfn " > 0x%" PRIpfn ")\n",
__FUNCTION__, pfn, dom->total_pages);
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |