[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] x86/hvm: Fix boundary check in hvmemul_insn_fetch()

To: <andrew.cooper3@xxxxxxxxxx>
From: "Jan Beulich" <jbeulich@xxxxxxxx>
Date: Sun, 30 Jul 2017 02:58:35 -0600
Cc: paul.durrant@xxxxxxxxxx, xen-devel@xxxxxxxxxxxxx
Delivery-date: Sun, 30 Jul 2017 08:59:04 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

>>> Andrew Cooper <andrew.cooper3@xxxxxxxxxx> 07/25/17 8:55 PM >>>
>--- a/xen/arch/x86/hvm/emulate.c
>+++ b/xen/arch/x86/hvm/emulate.c
>@@ -958,8 +958,8 @@ int hvmemul_insn_fetch(
>* Will we overflow insn_buf[]?  This shouldn't be able to happen,
>* which means something went wrong with instruction decoding...
>*/
>- if ( insn_off > sizeof(hvmemul_ctxt->insn_buf) ||
>-                 (insn_off + bytes) > sizeof(hvmemul_ctxt->insn_buf) )
>+            if ( insn_off >= sizeof(hvmemul_ctxt->insn_buf) ||
>+                 (insn_off + bytes) >= sizeof(hvmemul_ctxt->insn_buf) )

I agree with the change to the first line, but are you sure about the
second one? At the example of insn_off == 0, surely
bytes == sizeof() is fine?

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

References:
- [Xen-devel] [PATCH] x86/hvm: Fix boundary check in hvmemul_insn_fetch()
  - From: Andrew Cooper

Prev by Date: Re: [Xen-devel] [PATCH v3 00/21] x86: refactor mm.c (the easy part)
Next by Date: [Xen-devel] [linux-linus test] 112375: regressions - trouble: blocked/broken/fail/pass
Previous by thread: Re: [Xen-devel] [PATCH] x86/hvm: Fix boundary check in hvmemul_insn_fetch()
Next by thread: [Xen-devel] [PATCH 4.9 037/125] xen/scsiback: Fix a TMR related use-after-free
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.