Xen project Mailing List

Re: [Xen-devel] [PATCH] Off-by-one in cpu_gdt_init

From: David Hopwood <david.nospam.hopwood@xxxxxxxxxxxxxxxx>

Date: Mon, 06 Jun 2005 17:14:15 +0100

Delivery-date: Mon, 06 Jun 2005 16:13:27 +0000

List-id: Xen developer discussion <xen-devel.lists.xensource.com>

George Washington Dunlap III wrote:

I forget what triggered this bug (it was a long time ago), butcpu_gdt_init() is trying to allocate an array, one per frame, based ongdt_descr->size. However, the math currently rounds down instead of up!(I'm pretty sure that when I triggered it, (gdt_descr->size>>PAGE_SHIFT)was 0.)


diff -urN --exclude=SCCS --exclude=BitKeeper 
xen-unstable.latest/linux-2.6.11-xen-sparse/arch/xen/i386/kernel/cpu/common.c 
xeno-ft/linux-2.6.11-xen-sparse/arch/xen/i386/kernel/cpu/common.c
--- 
xen-unstable.latest/linux-2.6.11-xen-sparse/arch/xen/i386/kernel/cpu/common.c   
    2005-05-16 13:05:03.000000000 -0400
+++ xeno-ft/linux-2.6.11-xen-sparse/arch/xen/i386/kernel/cpu/common.c   
2005-05-16 13:55:06.000000000 -0400
@@ -554,7 +554,7 @@

void __init cpu_gdt_init(struct Xgt_desc_struct *gdt_descr)

 {
-       unsigned long frames[gdt_descr->size >> PAGE_SHIFT];
+       unsigned long frames[(gdt_descr->size >> PAGE_SHIFT)+1];

Variable-length arrays? Never use variable-length arrays in code that needs to be robust: you can't guarantee that the stack won't overflow. If it does, there is no way to detect that situtation (unlike malloc et al where you can check for NULL), you just get undefined behaviour. -- David Hopwood <david.nospam.hopwood@xxxxxxxxxxxxxxxx> _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.