[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-unstable] fix xenctl_cpumap_to_cpumask() buffer size check


  • To: xen-changelog@xxxxxxxxxxxxxxxxxxx
  • From: Xen patchbot-unstable <patchbot@xxxxxxx>
  • Date: Tue, 13 Nov 2012 16:22:07 +0000
  • Delivery-date: Tue, 13 Nov 2012 16:22:20 +0000
  • List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xen.org>

# HG changeset patch
# User Matthew Daley <mattjd@xxxxxxxxx>
# Date 1352802490 -3600
# Node ID 56400658f0962099988678487e525d12f869a96a
# Parent  a3cde70320ada4a5424c37f65b8fe3753fc95205
fix xenctl_cpumap_to_cpumask() buffer size check

xenctl_cpumap_to_cpumask incorrectly uses sizeof when checking whether
bits should be masked off from the input cpumap bitmap or not.

Fix by using the correct cpumask buffer size in place of sizeof.

Signed-off-by: Matthew Daley <mattjd@xxxxxxxxx>

Compare against copy_bytes instead, and use equality rather than less-
or-equal.

Further, this issue (introduced with c/s 23991:a7ccbc79fc17) is not
security relevant (i.e. the bug could not cause memory corruption):
_xmalloc() never returns chunks of data smaller than the size of a
pointer, i.e. even if sizeof(void*) > guest_bytes > copy_bytes, the
piece of memory erroneously written to would still be inside the
allocation done at the top of the function.

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Acked-by: Keir Fraser <keir@xxxxxxx>
Committed-by: Jan Beulich <jbeulich@xxxxxxxx>
---


diff -r a3cde70320ad -r 56400658f096 xen/common/domctl.c
--- a/xen/common/domctl.c       Mon Nov 12 17:03:21 2012 +0000
+++ b/xen/common/domctl.c       Tue Nov 13 11:28:10 2012 +0100
@@ -78,7 +78,7 @@ int xenctl_cpumap_to_cpumask(
     {
         if ( copy_from_guest(bytemap, xenctl_cpumap->bitmap, copy_bytes) )
             err = -EFAULT;
-        if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes <= sizeof(bytemap)) )
+        if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes == copy_bytes) )
             bytemap[guest_bytes-1] &= ~(0xff << (xenctl_cpumap->nr_cpus & 7));
     }
 

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.