Xen project Mailing List

[Xen-changelog] [xen-unstable] Revert 26109:6ccfe4d29f95

From: Xen patchbot-unstable <patchbot@xxxxxxx>

Date: Tue, 30 Oct 2012 04:00:12 +0000

Delivery-date: Tue, 30 Oct 2012 04:00:29 +0000

List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xen.org>

# HG changeset patch # User Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx> # Date 1351247982 -3600 # Node ID d07692b5c780d5e2a9f86bdd77d6627bdf67aa68 # Parent c26e1a79fe77735410d5712348a612fa4b1e377f Revert 26109:6ccfe4d29f95 This changeset was contaminated by changes hanging around in my working tree. Sorry :-(. Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> --- diff -r c26e1a79fe77 -r d07692b5c780 stubdom/grub/kexec.c --- a/stubdom/grub/kexec.c Thu Oct 25 17:12:55 2012 +0100 +++ b/stubdom/grub/kexec.c Fri Oct 26 11:39:42 2012 +0100 @@ -137,10 +137,6 @@ void kexec(void *kernel, long kernel_siz dom = xc_dom_allocate(xc_handle, cmdline, features); dom->allocate = kexec_allocate; - /* We are using guest owned memory, therefore no limits. */ - xc_dom_kernel_max_size(dom, 0); - xc_dom_ramdisk_max_size(dom, 0); - dom->kernel_blob = kernel; dom->kernel_size = kernel_size; diff -r c26e1a79fe77 -r d07692b5c780 tools/libxc/xc_dom.h --- a/tools/libxc/xc_dom.h Thu Oct 25 17:12:55 2012 +0100 +++ b/tools/libxc/xc_dom.h Fri Oct 26 11:39:42 2012 +0100 @@ -55,9 +55,6 @@ struct xc_dom_image { void *ramdisk_blob; size_t ramdisk_size; - size_t max_kernel_size; - size_t max_ramdisk_size; - /* arguments and parameters */ char *cmdline; uint32_t f_requested[XENFEAT_NR_SUBMAPS]; @@ -197,13 +194,6 @@ void xc_dom_release_phys(struct xc_dom_i void xc_dom_release(struct xc_dom_image *dom); int xc_dom_mem_init(struct xc_dom_image *dom, unsigned int mem_mb); -#define XC_DOM_DECOMPRESS_MAX (1024*1024*1024) /* 1GB */ -int xc_dom_kernel_check_size(struct xc_dom_image *dom, size_t sz); -int xc_dom_kernel_max_size(struct xc_dom_image *dom, size_t sz); - -int xc_dom_ramdisk_check_size(struct xc_dom_image *dom, size_t sz); -int xc_dom_ramdisk_max_size(struct xc_dom_image *dom, size_t sz); - size_t xc_dom_check_gzip(xc_interface *xch, void *blob, size_t ziplen); int xc_dom_do_gunzip(xc_interface *xch, @@ -264,8 +254,7 @@ void xc_dom_log_memory_footprint(struct void *xc_dom_malloc(struct xc_dom_image *dom, size_t size); void *xc_dom_malloc_page_aligned(struct xc_dom_image *dom, size_t size); void *xc_dom_malloc_filemap(struct xc_dom_image *dom, - const char *filename, size_t * size, - const size_t max_size); + const char *filename, size_t * size); char *xc_dom_strdup(struct xc_dom_image *dom, const char *str); /* --- alloc memory pool ------------------------------------------- */ diff -r c26e1a79fe77 -r d07692b5c780 tools/libxc/xc_dom_bzimageloader.c --- a/tools/libxc/xc_dom_bzimageloader.c Thu Oct 25 17:12:55 2012 +0100 +++ b/tools/libxc/xc_dom_bzimageloader.c Fri Oct 26 11:39:42 2012 +0100 @@ -47,7 +47,7 @@ static int xc_try_bzip2_decode( char *out_buf; char *tmp_buf; int retval = -1; - unsigned int outsize; + int outsize; uint64_t total; stream.bzalloc = NULL; @@ -79,17 +79,6 @@ static int xc_try_bzip2_decode( stream.next_out = out_buf; stream.avail_out = dom->kernel_size; - /* - * stream.avail_in is an unsigned int, while kernel_size is a - * size_t. Check we aren't overflowing. - */ - if ( stream.avail_in != dom->kernel_size ) - { - DOMPRINTF("BZIP2: Input too large"); - free(out_buf); - goto bzip2_cleanup; - } - for ( ; ; ) { ret = BZ2_bzDecompress(&stream); @@ -109,20 +98,13 @@ static int xc_try_bzip2_decode( if ( stream.avail_out == 0 ) { /* Protect against output buffer overflow */ - if ( outsize > UINT_MAX / 2 ) + if ( outsize > INT_MAX / 2 ) { DOMPRINTF("BZIP2: output buffer overflow"); free(out_buf); goto bzip2_cleanup; } - if ( xc_dom_kernel_check_size(dom, outsize * 2) ) - { - DOMPRINTF("BZIP2: output too large"); - free(out_buf); - goto bzip2_cleanup; - } - tmp_buf = realloc(out_buf, outsize * 2); if ( tmp_buf == NULL ) { @@ -190,7 +172,7 @@ static int _xc_try_lzma_decode( unsigned char *out_buf; unsigned char *tmp_buf; int retval = -1; - size_t outsize; + int outsize; const char *msg; /* sigh. We don't know up-front how much memory we are going to need @@ -262,20 +244,13 @@ static int _xc_try_lzma_decode( if ( stream->avail_out == 0 ) { /* Protect against output buffer overflow */ - if ( outsize > SIZE_MAX / 2 ) + if ( outsize > INT_MAX / 2 ) { DOMPRINTF("%s: output buffer overflow", what); free(out_buf); goto lzma_cleanup; } - if ( xc_dom_kernel_check_size(dom, outsize * 2) ) - { - DOMPRINTF("%s: output too large", what); - free(out_buf); - goto lzma_cleanup; - } - tmp_buf = realloc(out_buf, outsize * 2); if ( tmp_buf == NULL ) { @@ -384,12 +359,6 @@ static int xc_try_lzo1x_decode( 0x89, 0x4c, 0x5a, 0x4f, 0x00, 0x0d, 0x0a, 0x1a, 0x0a }; - /* - * lzo_uint should match size_t. Check that this is the case to be - * sure we won't overflow various lzo_uint fields. - */ - XC_BUILD_BUG_ON(sizeof(lzo_uint) != sizeof(size_t)); - ret = lzo_init(); if ( ret != LZO_E_OK ) { @@ -469,14 +438,6 @@ static int xc_try_lzo1x_decode( if ( src_len <= 0 || src_len > dst_len || src_len > left ) break; - msg = "Output buffer overflow"; - if ( *size > SIZE_MAX - dst_len ) - break; - - msg = "Decompressed image too large"; - if ( xc_dom_kernel_check_size(dom, *size + dst_len) ) - break; - msg = "Failed to (re)alloc memory"; tmp_buf = realloc(out_buf, *size + dst_len); if ( tmp_buf == NULL ) diff -r c26e1a79fe77 -r d07692b5c780 tools/libxc/xc_dom_core.c --- a/tools/libxc/xc_dom_core.c Thu Oct 25 17:12:55 2012 +0100 +++ b/tools/libxc/xc_dom_core.c Fri Oct 26 11:39:42 2012 +0100 @@ -159,8 +159,7 @@ void *xc_dom_malloc_page_aligned(struct } void *xc_dom_malloc_filemap(struct xc_dom_image *dom, - const char *filename, size_t * size, - const size_t max_size) + const char *filename, size_t * size) { struct xc_dom_mem *block = NULL; int fd = -1; @@ -172,13 +171,6 @@ void *xc_dom_malloc_filemap(struct xc_do lseek(fd, 0, SEEK_SET); *size = lseek(fd, 0, SEEK_END); - if ( max_size && *size > max_size ) - { - xc_dom_panic(dom->xch, XC_OUT_OF_MEMORY, - "tried to map file which is too large"); - goto err; - } - block = malloc(sizeof(*block)); if ( block == NULL ) goto err; @@ -230,40 +222,6 @@ char *xc_dom_strdup(struct xc_dom_image } /* ------------------------------------------------------------------------ */ -/* decompression buffer sizing */ -int xc_dom_kernel_check_size(struct xc_dom_image *dom, size_t sz) -{ - /* No limit */ - if ( !dom->max_kernel_size ) - return 0; - - if ( sz > dom->max_kernel_size ) - { - xc_dom_panic(dom->xch, XC_INVALID_KERNEL, - "kernel image too large"); - return 1; - } - - return 0; -} - -int xc_dom_ramdisk_check_size(struct xc_dom_image *dom, size_t sz) -{ - /* No limit */ - if ( !dom->max_ramdisk_size ) - return 0; - - if ( sz > dom->max_ramdisk_size ) - { - xc_dom_panic(dom->xch, XC_INVALID_KERNEL, - "ramdisk image too large"); - return 1; - } - - return 0; -} - -/* ------------------------------------------------------------------------ */ /* read files, copy memory blocks, with transparent gunzip */ size_t xc_dom_check_gzip(xc_interface *xch, void *blob, size_t ziplen) @@ -277,7 +235,7 @@ size_t xc_dom_check_gzip(xc_interface *x gzlen = blob + ziplen - 4; unziplen = gzlen[3] << 24 | gzlen[2] << 16 | gzlen[1] << 8 | gzlen[0]; - if ( (unziplen < 0) || (unziplen > XC_DOM_DECOMPRESS_MAX) ) + if ( (unziplen < 0) || (unziplen > (1024*1024*1024)) ) /* 1GB limit */ { xc_dom_printf (xch, @@ -330,9 +288,6 @@ int xc_dom_try_gunzip(struct xc_dom_imag if ( unziplen == 0 ) return 0; - if ( xc_dom_kernel_check_size(dom, unziplen) ) - return 0; - unzip = xc_dom_malloc(dom, unziplen); if ( unzip == NULL ) return -1; @@ -635,9 +590,6 @@ struct xc_dom_image *xc_dom_allocate(xc_ memset(dom, 0, sizeof(*dom)); dom->xch = xch; - dom->max_kernel_size = XC_DOM_DECOMPRESS_MAX; - dom->max_ramdisk_size = XC_DOM_DECOMPRESS_MAX; - if ( cmdline ) dom->cmdline = xc_dom_strdup(dom, cmdline); if ( features ) @@ -658,25 +610,10 @@ struct xc_dom_image *xc_dom_allocate(xc_ return NULL; } -int xc_dom_kernel_max_size(struct xc_dom_image *dom, size_t sz) -{ - DOMPRINTF("%s: kernel_max_size=%zx", __FUNCTION__, sz); - dom->max_kernel_size = sz; - return 0; -} - -int xc_dom_ramdisk_max_size(struct xc_dom_image *dom, size_t sz) -{ - DOMPRINTF("%s: ramdisk_max_size=%zx", __FUNCTION__, sz); - dom->max_ramdisk_size = sz; - return 0; -} - int xc_dom_kernel_file(struct xc_dom_image *dom, const char *filename) { DOMPRINTF("%s: filename=\"%s\"", __FUNCTION__, filename); - dom->kernel_blob = xc_dom_malloc_filemap(dom, filename, &dom->kernel_size, - dom->max_kernel_size); + dom->kernel_blob = xc_dom_malloc_filemap(dom, filename, &dom->kernel_size); if ( dom->kernel_blob == NULL ) return -1; return xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size); @@ -685,10 +622,8 @@ int xc_dom_kernel_file(struct xc_dom_ima int xc_dom_ramdisk_file(struct xc_dom_image *dom, const char *filename) { DOMPRINTF("%s: filename=\"%s\"", __FUNCTION__, filename); - /* We do not enforce any particular size limit here */ dom->ramdisk_blob = - xc_dom_malloc_filemap(dom, filename, &dom->ramdisk_size, 0); - + xc_dom_malloc_filemap(dom, filename, &dom->ramdisk_size); if ( dom->ramdisk_blob == NULL ) return -1; // return xc_dom_try_gunzip(dom, &dom->ramdisk_blob, &dom->ramdisk_size); @@ -848,11 +783,7 @@ int xc_dom_build_image(struct xc_dom_ima void *ramdiskmap; unziplen = xc_dom_check_gzip(dom->xch, dom->ramdisk_blob, dom->ramdisk_size); - if ( xc_dom_ramdisk_check_size(dom, unziplen) != 0 ) - unziplen = 0; - ramdisklen = unziplen ? unziplen : dom->ramdisk_size; - if ( xc_dom_alloc_segment(dom, &dom->ramdisk_seg, "ramdisk", 0, ramdisklen) != 0 ) goto err; diff -r c26e1a79fe77 -r d07692b5c780 tools/libxl/xl_cmdimpl.c --- a/tools/libxl/xl_cmdimpl.c Thu Oct 25 17:12:55 2012 +0100 +++ b/tools/libxl/xl_cmdimpl.c Fri Oct 26 11:39:42 2012 +0100 @@ -2118,7 +2118,6 @@ start: case 0: LOG("Done. Exiting now"); - libxl_event_free(ctx, event); ret = 0; goto out; @@ -2128,7 +2127,6 @@ start: case LIBXL_EVENT_TYPE_DOMAIN_DEATH: LOG("Domain %d has been destroyed.", domid); - libxl_event_free(ctx, event); ret = 0; goto out; _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.