[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Re: [PATCH]mini-os: Bug in allocate_xenbus_id()

That's a good catch. Did you see the bug manifesting itself in practice?

Keir could you apply please?
Thanks.
Gregor

Dietmar Hahn wrote:

Hi Gregor,

in allocate_xenbus_id() the static variable probe never gets reset.
Therewidth id's >= NR_REQS are possible, which lead to an overflow in
req_info[] and may crash the  mini-os.
Thanks.

Dietmar

Signed-off-by: Dietmar Hahn <dietmar.hahn@xxxxxxxxxxxxxxxxxxx>

# HG changeset patch
# User dietmar.hahn@xxxxxxxxxxxxxxxxxxx
# Date 1171877953 -3600
# Node ID 3d04558ad3d7e3811ac8c827bb876858bbb1c415
# Parent  b5fc88aad1b0eb35d12e503982c70fdc27f0544a
Because probe never gets decremented (or reset), id >= NR_REQS is possible, which may lead to a crash. 

diff -r b5fc88aad1b0 -r 3d04558ad3d7 extras/mini-os/xenbus/xenbus.c
--- a/extras/mini-os/xenbus/xenbus.c    Sun Feb 18 15:29:40 2007 +0000
+++ b/extras/mini-os/xenbus/xenbus.c    Mon Feb 19 10:39:13 2007 +0100
@@ -210,7 +210,7 @@ static int allocate_xenbus_id(void)
     }
     nr_live_reqs++;
     req_info[o_probe].in_use = 1;
-    probe = o_probe + 1;
+    probe = (o_probe + 1) % NR_REQS;
     spin_unlock(&req_lock);
     init_waitqueue_head(&req_info[o_probe].waitq);


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.