[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen master] x86/hvm: correct hvm_ioreq_server_alloc_rangesets() failure path

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
From: patchbot@xxxxxxx
Date: Thu, 19 Jun 2014 04:41:22 +0000
Delivery-date: Thu, 19 Jun 2014 04:41:26 +0000
List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xen.org>

commit a310f00882dfd4b07baedbab1e102cd4d0a4e867
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Thu Jun 5 17:43:26 2014 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Jun 5 17:43:26 2014 +0200

    x86/hvm: correct hvm_ioreq_server_alloc_rangesets() failure path
    
    Coverity-ID: 1220092 "Unsigned compare against 0"
    Coverity-ID: 1220093 "Out-of-bounds read"
    
    Both of these are cased by the the while() loop in the fail path, which
    results in an infinite loop and memory corruption from rangeset_destroy().
    
    Move hvm_ioreq_server_free_rangesets() up and use it for cleanup on the
    failure path.
    
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Paul Durrant <paul.durrant@xxxxxxxxxx>
---
 xen/arch/x86/hvm/hvm.c |   27 +++++++++++++--------------
 1 files changed, 13 insertions(+), 14 deletions(-)

diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index 4f993f4..1f13329 100644
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -824,6 +824,18 @@ static void hvm_ioreq_server_unmap_pages(struct 
hvm_ioreq_server *s,
     }
 }
 
+static void hvm_ioreq_server_free_rangesets(struct hvm_ioreq_server *s,
+                                            bool_t is_default)
+{
+    unsigned int i;
+
+    if ( is_default )
+        return;
+
+    for ( i = 0; i < NR_IO_RANGE_TYPES; i++ )
+        rangeset_destroy(s->range[i]);
+}
+
 static int hvm_ioreq_server_alloc_rangesets(struct hvm_ioreq_server *s, 
                                             bool_t is_default)
 {
@@ -861,24 +873,11 @@ static int hvm_ioreq_server_alloc_rangesets(struct 
hvm_ioreq_server *s,
     return 0;
 
  fail:
-    while ( --i >= 0 )
-        rangeset_destroy(s->range[i]);
+    hvm_ioreq_server_free_rangesets(s, 0);
 
     return rc;
 }
 
-static void hvm_ioreq_server_free_rangesets(struct hvm_ioreq_server *s, 
-                                            bool_t is_default)
-{
-    unsigned int i;
-
-    if ( is_default )
-        return;
-
-    for ( i = 0; i < NR_IO_RANGE_TYPES; i++ )
-        rangeset_destroy(s->range[i]);
-}
-
 static void hvm_ioreq_server_enable(struct hvm_ioreq_server *s,
                                     bool_t is_default)
 {
--
generated by git-patchbot for /home/xen/git/xen.git#master

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

Prev by Date: [Xen-changelog] [xen master] iommu: set correct IOMMU entries when !iommu_hap_pt_share
Next by Date: [Xen-changelog] [xen master] x86/HVM: properly propagate errors from HVMOP_inject_msi
Previous by thread: [Xen-changelog] [xen master] iommu: set correct IOMMU entries when !iommu_hap_pt_share
Next by thread: [Xen-changelog] [xen master] x86/HVM: properly propagate errors from HVMOP_inject_msi
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.