[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen master] domctl/vNUMA: avoid arithmetic overflow



commit b0dd772650e087cf474cd20abf23508b9b094f42
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Thu Feb 6 09:55:18 2020 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Feb 6 09:55:18 2020 +0100

    domctl/vNUMA: avoid arithmetic overflow
    
    Checking the result of a multiplication against a certain limit has no
    sufficient implication on the original value's range. In the case here
    it is in particular problematic that while handling the domctl we do
    
        if ( copy_from_guest(info->vdistance, uinfo->vdistance,
                             nr_vnodes * nr_vnodes) )
            goto vnuma_fail;
    
    which means copying sizeof(unsigned int) * (nr_vnodes * nr_vnodes)
    bytes, and the handling of XENMEM_get_vnumainfo similarly has
    
            tmp.vdistance = xmalloc_array(unsigned int, dom_vnodes * 
dom_vnodes);
    
    which means allocating sizeof(unsigned int) * (dom_vnodes * dom_vnodes)
    bytes, whereas in then goes on doing this:
    
            memcpy(tmp.vdistance, d->vnuma->vdistance,
                   sizeof(*d->vnuma->vdistance) * dom_vnodes * dom_vnodes);
    
    Note the lack of parentheses in the multiplication expression.
    
    Adjust the overflow check, moving the must-not-be-zero one right next to
    it to avoid questions on whether there might be division by zero.
    
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Wei Liu <wl@xxxxxxx>
---
 xen/common/domctl.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/xen/common/domctl.c b/xen/common/domctl.c
index 8b819f56e5..8370fad8ef 100644
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -263,7 +263,8 @@ static struct vnuma_info *vnuma_alloc(unsigned int 
nr_vnodes,
      * Check if any of the allocations are bigger than PAGE_SIZE.
      * See XSA-77.
      */
-    if ( nr_vnodes * nr_vnodes > (PAGE_SIZE / sizeof(*vnuma->vdistance)) ||
+    if ( nr_vnodes == 0 ||
+         nr_vnodes > (PAGE_SIZE / sizeof(*vnuma->vdistance) / nr_vnodes) ||
          nr_ranges > (PAGE_SIZE / sizeof(*vnuma->vmemrange)) )
         return ERR_PTR(-EINVAL);
 
@@ -302,7 +303,7 @@ static struct vnuma_info *vnuma_init(const struct 
xen_domctl_vnuma *uinfo,
 
     nr_vnodes = uinfo->nr_vnodes;
 
-    if ( nr_vnodes == 0 || uinfo->nr_vcpus != d->max_vcpus || uinfo->pad != 0 )
+    if ( uinfo->nr_vcpus != d->max_vcpus || uinfo->pad != 0 )
         return ERR_PTR(ret);
 
     info = vnuma_alloc(nr_vnodes, uinfo->nr_vmemranges, d->max_vcpus);
--
generated by git-patchbot for /home/xen/git/xen.git#master

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.