[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH] x86: properly check XEN_DOMCTL_ioport_mapping arguments for invalid range

To: "xen-devel" <xen-devel@xxxxxxxxxxxxx>
From: "Jan Beulich" <JBeulich@xxxxxxxx>
Date: Tue, 18 Sep 2012 16:24:46 +0100
Delivery-date: Tue, 18 Sep 2012 15:25:05 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

In particular, the case of "np" being a very large value wasn't handled
correctly. The range start checks also were off by one (except that in
practice, when "np" is properly range checked, this would still have
been caught by the range end checks).

Also, is a GFN wrap in XEN_DOMCTL_memory_mapping really okay?

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>

--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -884,7 +884,7 @@ long arch_do_domctl(
         int found = 0;
 
         ret = -EINVAL;
-        if ( (np == 0) || (fgp > MAX_IOPORTS) || (fmp > MAX_IOPORTS) ||
+        if ( ((fgp | fmp | (np - 1)) >= MAX_IOPORTS) ||
             ((fgp + np) > MAX_IOPORTS) || ((fmp + np) > MAX_IOPORTS) )
         {
             printk(XENLOG_G_ERR




_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH] x86: properly check XEN_DOMCTL_ioport_mapping arguments for invalid range
  - From: Keir Fraser

Prev by Date: [Xen-devel] [PATCH] x86/ACPI: fix error indication from acpi_parse_madt_lapic_entries()
Next by Date: Re: [Xen-devel] [PATCH] EHCI/Xen: propagate controller reset information to hypervisor
Previous by thread: [Xen-devel] [PATCH] x86/ACPI: fix error indication from acpi_parse_madt_lapic_entries()
Next by thread: Re: [Xen-devel] [PATCH] x86: properly check XEN_DOMCTL_ioport_mapping arguments for invalid range
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.