|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v5 08/14] hvmloader: Locate the BIOS blob
>>> On 22.06.16 at 19:15, <anthony.perard@xxxxxxxxxx> wrote:
> --- a/tools/firmware/hvmloader/hvmloader.c
> +++ b/tools/firmware/hvmloader/hvmloader.c
> @@ -253,10 +253,51 @@ static void acpi_enable_sci(void)
> BUG_ON(!(pm1a_cnt_val & ACPI_PM1C_SCI_EN));
> }
>
> +const struct hvm_modlist_entry *get_module_entry(
> + const struct hvm_start_info *info,
> + const char *name)
> +{
> + const struct hvm_modlist_entry *modlist =
> + (struct hvm_modlist_entry *)(uint32_t)info->modlist_paddr;
> + unsigned int i;
> +
> + if ( !modlist || info->modlist_paddr > UINT_MAX)
> + return NULL;
How about info->modlist_paddr + info->nr_modules * sizeof()?
You check for overflow below, but not here. I think you should
either consistently rely on there being something right below 4Gb
which makes this impossible (and then say so in a comment), or
do full checks everywhere.
> + for ( i = 0; i < info->nr_modules; i++ )
> + {
> + uint32_t module_name = modlist[i].cmdline_paddr;
> +
> + /* Skip if the module or its cmdline is missing. */
> + if ( !module_name || !modlist[i].paddr )
> + continue;
> +
> + /* Skip if the cmdline can not be read. */
> + if ( modlist[i].cmdline_paddr > UINT_MAX )
> + continue;
Similarly here.
> + if ( !strcmp(name, (char*)module_name) )
Stray cast.
> + {
> + if ( modlist[i].paddr > UINT_MAX || modlist[i].size > UINT_MAX ||
> + (modlist[i].paddr + modlist[i].size) > UINT_MAX )
I think the last one could be >=.
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |