[Xen-changelog] [xen-4.2-testing] fix xenctl_cpumap_to_cpumask() buffer size check

[Xen patchbot-4.2-testing <patchbot@xxxxxxx>]

# HG changeset patch
# User Matthew Daley <mattjd@xxxxxxxxx>
# Date 1352886041 -3600
# Node ID bdb5cde7f79d77f8578bcd8e24d74d09a2c7caa6
# Parent  63159cebdbaab679a77905f03d186ba9e963638b
fix xenctl_cpumap_to_cpumask() buffer size check

xenctl_cpumap_to_cpumask incorrectly uses sizeof when checking whether
bits should be masked off from the input cpumap bitmap or not.

Fix by using the correct cpumask buffer size in place of sizeof.

Signed-off-by: Matthew Daley <mattjd@xxxxxxxxx>

Compare against copy_bytes instead, and use equality rather than less-
or-equal.

Further, this issue (introduced with c/s 23991:a7ccbc79fc17) is not
security relevant (i.e. the bug could not cause memory corruption):
_xmalloc() never returns chunks of data smaller than the size of a
pointer, i.e. even if sizeof(void*) > guest_bytes > copy_bytes, the
piece of memory erroneously written to would still be inside the
allocation done at the top of the function.

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Acked-by: Keir Fraser <keir@xxxxxxx>
xen-unstable changeset: 26139:56400658f096
xen-unstable date: Tue Nov 13 10:28:10 UTC 2012
---


diff -r 63159cebdbaa -r bdb5cde7f79d xen/common/domctl.c
--- a/xen/common/domctl.c       Wed Nov 14 10:39:55 2012 +0100
+++ b/xen/common/domctl.c       Wed Nov 14 10:40:41 2012 +0100
@@ -78,7 +78,7 @@ int xenctl_cpumap_to_cpumask(
     {
         if ( copy_from_guest(bytemap, xenctl_cpumap->bitmap, copy_bytes) )
             err = -EFAULT;
-        if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes <= sizeof(bytemap)) )
+        if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes == copy_bytes) )
             bytemap[guest_bytes-1] &= ~(0xff << (xenctl_cpumap->nr_cpus & 7));
     }
 

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog