[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen master] tmem: check the return value of copy to guest
commit c8e6ce764fd0f84cb345b8dc18508e313099e61e Author: Bob Liu <lliubbo@xxxxxxxxx> AuthorDate: Thu Dec 12 19:05:15 2013 +0800 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Wed Jan 8 08:55:38 2014 +0100 tmem: check the return value of copy to guest Use function copy_to_guest_offset/copy_to_guest directly and check their return value. This also fixes CID 1132754, and 1132755: "Unchecked return value If the function returns an error value, the error value may be mistaken for a normal value. In tmem_copy_to_client_buf_offset: Value returned from a function is not checked for errors before being used (CWE-252)" And CID 1055125, 1055126, 1055127, 1055128, 1055129, 1055130 "Unchecked return value If the function returns an error value, the error value may be mistaken for a normal value. In <functions changed>: Value returned from a function is not checked for errors before being used (CWE-252)" Signed-off-by: Bob Liu <bob.liu@xxxxxxxxxx> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx> --- xen/common/tmem.c | 34 ++++++++++++++++++++-------------- xen/include/xen/tmem_xen.h | 14 -------------- 2 files changed, 20 insertions(+), 28 deletions(-) diff --git a/xen/common/tmem.c b/xen/common/tmem.c index fc75229..d9e912b 100644 --- a/xen/common/tmem.c +++ b/xen/common/tmem.c @@ -2063,8 +2063,8 @@ static int tmemc_list_client(struct client *c, tmem_cli_va_param_t buf, c->eph_count, c->eph_count_max, c->compressed_pages, c->compressed_sum_size, c->compress_poor, c->compress_nomem); - tmem_copy_to_client_buf_offset(buf,off+sum,info,n+1); - sum += n; + if ( !copy_to_guest_offset(buf, off + sum, info, n + 1) ) + sum += n; for ( i = 0; i < MAX_POOLS_PER_DOMAIN; i++ ) { if ( (p = c->pools[i]) == NULL ) @@ -2091,8 +2091,8 @@ static int tmemc_list_client(struct client *c, tmem_cli_va_param_t buf, p->flushs_found, p->flushs, p->flush_objs_found, p->flush_objs); if ( sum + n >= len ) return sum; - tmem_copy_to_client_buf_offset(buf,off+sum,info,n+1); - sum += n; + if ( !copy_to_guest_offset(buf, off + sum, info, n + 1) ) + sum += n; } return sum; } @@ -2130,8 +2130,8 @@ static int tmemc_list_shared(tmem_cli_va_param_t buf, int off, uint32_t len, p->flushs_found, p->flushs, p->flush_objs_found, p->flush_objs); if ( sum + n >= len ) return sum; - tmem_copy_to_client_buf_offset(buf,off+sum,info,n+1); - sum += n; + if ( !copy_to_guest_offset(buf, off + sum, info, n + 1) ) + sum += n; } return sum; } @@ -2147,8 +2147,8 @@ static int tmemc_list_global_perf(tmem_cli_va_param_t buf, int off, n += scnprintf(info+n,BSIZE-n,"\n"); if ( sum + n >= len ) return sum; - tmem_copy_to_client_buf_offset(buf,off+sum,info,n+1); - sum += n; + if ( !copy_to_guest_offset(buf, off + sum, info, n + 1) ) + sum += n; return sum; } @@ -2179,8 +2179,8 @@ static int tmemc_list_global(tmem_cli_va_param_t buf, int off, uint32_t len, tot_good_eph_puts,deduped_puts,pcd_tot_tze_size,pcd_tot_csize); if ( sum + n >= len ) return sum; - tmem_copy_to_client_buf_offset(buf,off+sum,info,n+1); - sum += n; + if ( !copy_to_guest_offset(buf, off + sum, info, n + 1) ) + sum += n; return sum; } @@ -2366,8 +2366,9 @@ static int tmemc_save_subop(int cli_id, uint32_t pool_id, case TMEMC_SAVE_GET_POOL_UUID: if ( pool == NULL ) break; - tmem_copy_to_client_buf(buf, pool->uuid, 2); rc = 0; + if ( copy_to_guest(guest_handle_cast(buf, void), pool->uuid, 2) ) + rc = -EFAULT; break; case TMEMC_SAVE_END: if ( client == NULL ) @@ -2430,8 +2431,12 @@ static int tmemc_save_get_next_page(int cli_id, uint32_t pool_id, BUILD_BUG_ON(sizeof(h.oid) != sizeof(oid)); memcpy(h.oid, oid.oid, sizeof(h.oid)); h.index = pgp->index; - tmem_copy_to_client_buf(buf, &h, 1); - tmem_client_buf_add(buf, sizeof(h)); + if ( copy_to_guest(guest_handle_cast(buf, void), &h, 1) ) + { + ret = -EFAULT; + goto out; + } + guest_handle_add_offset(buf, sizeof(h)); ret = do_tmem_get(pool, &oid, pgp->index, 0, buf); out: @@ -2474,8 +2479,9 @@ static int tmemc_save_get_next_inv(int cli_id, tmem_cli_va_param_t buf, BUILD_BUG_ON(sizeof(h.oid) != sizeof(pgp->inv_oid)); memcpy(h.oid, pgp->inv_oid.oid, sizeof(h.oid)); h.index = pgp->index; - tmem_copy_to_client_buf(buf, &h, 1); ret = 1; + if ( copy_to_guest(guest_handle_cast(buf, void), &h, 1) ) + ret = -EFAULT; out: spin_unlock(&pers_lists_spinlock); return ret; diff --git a/xen/include/xen/tmem_xen.h b/xen/include/xen/tmem_xen.h index 4e6c234..885ee21 100644 --- a/xen/include/xen/tmem_xen.h +++ b/xen/include/xen/tmem_xen.h @@ -313,21 +313,7 @@ static inline int tmem_get_tmemop_from_client(tmem_op_t *op, tmem_cli_op_t uops) } #define tmem_cli_buf_null guest_handle_from_ptr(NULL, char) - -static inline void tmem_copy_to_client_buf_offset(tmem_cli_va_param_t clibuf, - int off, - char *tmembuf, int len) -{ - copy_to_guest_offset(clibuf,off,tmembuf,len); -} - -#define tmem_copy_to_client_buf(clibuf, tmembuf, cnt) \ - copy_to_guest(guest_handle_cast(clibuf, void), tmembuf, cnt) - -#define tmem_client_buf_add guest_handle_add_offset - #define TMEM_CLI_ID_NULL ((domid_t)((domid_t)-1L)) - #define tmem_cli_id_str "domid" #define tmem_client_str "domain" -- generated by git-patchbot for /home/xen/git/xen.git#master _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |