[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] Re: [PATCH]mini-os: Bug in allocate_xenbus_id()
That's a good catch. Did you see the bug manifesting itself in practice? Keir could you apply please? Thanks. Gregor Dietmar Hahn wrote: Hi Gregor, in allocate_xenbus_id() the static variable probe never gets reset. Therewidth id's >= NR_REQS are possible, which lead to an overflow in req_info[] and may crash the mini-os. Thanks. Dietmar Signed-off-by: Dietmar Hahn <dietmar.hahn@xxxxxxxxxxxxxxxxxxx> # HG changeset patch # User dietmar.hahn@xxxxxxxxxxxxxxxxxxx # Date 1171877953 -3600 # Node ID 3d04558ad3d7e3811ac8c827bb876858bbb1c415 # Parent b5fc88aad1b0eb35d12e503982c70fdc27f0544aBecause probe never gets decremented (or reset), id >= NR_REQS is possible, which may lead to a crash.diff -r b5fc88aad1b0 -r 3d04558ad3d7 extras/mini-os/xenbus/xenbus.c --- a/extras/mini-os/xenbus/xenbus.c Sun Feb 18 15:29:40 2007 +0000 +++ b/extras/mini-os/xenbus/xenbus.c Mon Feb 19 10:39:13 2007 +0100 @@ -210,7 +210,7 @@ static int allocate_xenbus_id(void) } nr_live_reqs++; req_info[o_probe].in_use = 1; - probe = o_probe + 1; + probe = (o_probe + 1) % NR_REQS; spin_unlock(&req_lock); init_waitqueue_head(&req_info[o_probe].waitq); _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |