Xen project Mailing List

Re: [Xen-devel] [PATCH] x86/hvm: Correct hvm_ioreq_server_alloc_rangesets() failure path

To: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxx>

From: Paul Durrant <Paul.Durrant@xxxxxxxxxx>

Date: Wed, 4 Jun 2014 11:30:27 +0000

Accept-language: en-GB, en-US

Cc: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>, "Keir \(Xen.org\)" <keir@xxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>

Delivery-date: Wed, 04 Jun 2014 11:30:39 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

Thread-index: AQHPf+Q8clm+rLO530mxPGUP6eEdtZtg0M8w

Thread-topic: [PATCH] x86/hvm: Correct hvm_ioreq_server_alloc_rangesets() failure path

> -----Original Message----- > From: Andrew Cooper [mailto:andrew.cooper3@xxxxxxxxxx] > Sent: 04 June 2014 12:01 > To: Xen-devel > Cc: Andrew Cooper; Keir (Xen.org); Jan Beulich; Paul Durrant > Subject: [PATCH] x86/hvm: Correct hvm_ioreq_server_alloc_rangesets() > failure path > > Coverity-ID: 1220092 "Unsigned compare against 0" > Coverity-ID: 1220093 "Out-of-bounds read" > > Both of these are cased by the the while() loop in the fail path, which > results in an infinite loop and memory corruption from rangeset_destroy(). > > Move hvm_ioreq_server_free_rangesets() up and use it for cleanup on the > failure path. > > Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> > CC: Keir Fraser <keir@xxxxxxx> > CC: Jan Beulich <JBeulich@xxxxxxxx> > CC: Paul Durrant <paul.durrant@xxxxxxxxxx> Reviewed-by: Paul Durrant <paul.durrant@xxxxxxxxxx> > --- > xen/arch/x86/hvm/hvm.c | 27 +++++++++++++-------------- > 1 file changed, 13 insertions(+), 14 deletions(-) > > diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c > index 4f993f4..1f13329 100644 > --- a/xen/arch/x86/hvm/hvm.c > +++ b/xen/arch/x86/hvm/hvm.c > @@ -824,6 +824,18 @@ static void hvm_ioreq_server_unmap_pages(struct > hvm_ioreq_server *s, > } > } > > +static void hvm_ioreq_server_free_rangesets(struct hvm_ioreq_server *s, > + bool_t is_default) > +{ > + unsigned int i; > + > + if ( is_default ) > + return; > + > + for ( i = 0; i < NR_IO_RANGE_TYPES; i++ ) > + rangeset_destroy(s->range[i]); > +} > + > static int hvm_ioreq_server_alloc_rangesets(struct hvm_ioreq_server *s, > bool_t is_default) > { > @@ -861,24 +873,11 @@ static int hvm_ioreq_server_alloc_rangesets(struct > hvm_ioreq_server *s, > return 0; > > fail: > - while ( --i >= 0 ) > - rangeset_destroy(s->range[i]); > + hvm_ioreq_server_free_rangesets(s, 0); > > return rc; > } > > -static void hvm_ioreq_server_free_rangesets(struct hvm_ioreq_server *s, > - bool_t is_default) > -{ > - unsigned int i; > - > - if ( is_default ) > - return; > - > - for ( i = 0; i < NR_IO_RANGE_TYPES; i++ ) > - rangeset_destroy(s->range[i]); > -} > - > static void hvm_ioreq_server_enable(struct hvm_ioreq_server *s, > bool_t is_default) > { > -- > 1.7.10.4 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.