[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 02/22] libxc: introduce xc_dom_seg_to_ptr_pages

Andrew Cooper writes ("Re: [PATCH 02/22] libxc: introduce 
> With a view to security, why does this change need to be present?
> At the end of the v6 series, this new function has 1 caller from
> xc_dom_load_elf_kernel() and 5 callers of the original function.
> >From looking at the semantics of the function, it either returns NULL,
> or maps all requested pages (xc_dom_seg size rounded up to the nearest page)
> With that in mind, xc_dom_load_elf_kernel() can calculate elf->dest_size
> given a successful mapping from xc_dom_seg_to_ptr(), without needing
> this _pages() variant.

This avoids duplicating the calculation of the number of pages
allocated.  Duplication of logic is of course in general a bad idea.

In this specific case there would be a risk that an error in one of
the functions (or perhaps future changes) would result in a difference
between the two calculations, which (if the error is in the
unfortunate direction) would result in a security problem.

In general I think it is best to always carry the pointer and length
together so for an allocation/access function of this kind to return
both the pointer and length.

Or to put it another way: doing it this way makes it easier to see
that the resulting code is correct.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.