Xen project Mailing List

Re: [Xen-devel] [PATCH] x86/hvm/ioreq: fix out of bounds access in error path

To: Wei Liu <wei.liu2@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Paul Durrant <Paul.Durrant@xxxxxxxxxx>

Date: Wed, 4 Apr 2018 11:11:15 +0000

Accept-language: en-GB, en-US

Cc: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>

Delivery-date: Wed, 04 Apr 2018 11:11:54 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHTzASMHS+XqoksWU+JKTPdGeMC8KPwcvMw

Thread-topic: [PATCH] x86/hvm/ioreq: fix out of bounds access in error path

> -----Original Message----- > From: Wei Liu [mailto:wei.liu2@xxxxxxxxxx] > Sent: 04 April 2018 12:03 > To: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx> > Cc: Wei Liu <wei.liu2@xxxxxxxxxx>; Jan Beulich <jbeulich@xxxxxxxx>; > Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>; Paul Durrant > <Paul.Durrant@xxxxxxxxxx> > Subject: [PATCH] x86/hvm/ioreq: fix out of bounds access in error path > > It is possible to call the error path with i pointing beyond the end > of the array. > > There is another bug that if there is already a default ioreq server, > the code will actually sets the element to NULL, hence leaking memory. > > Move setting NULL to where it is needed. > > Coverity-ID: 1433777 > Signed-off-by: Wei Liu <wei.liu2@xxxxxxxxxx> Reviewed-by: Paul Durrant <paul.durrant@xxxxxxxxxx> > --- > Cc: Jan Beulich <jbeulich@xxxxxxxx> > Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> > Cc: Paul Durrant <paul.durrant@xxxxxxxxxx> > --- > xen/arch/x86/hvm/ioreq.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/xen/arch/x86/hvm/ioreq.c b/xen/arch/x86/hvm/ioreq.c > index 9435291e87..2275278305 100644 > --- a/xen/arch/x86/hvm/ioreq.c > +++ b/xen/arch/x86/hvm/ioreq.c > @@ -811,7 +811,10 @@ int hvm_create_ioreq_server(struct domain *d, bool > is_default, > > rc = hvm_ioreq_server_init(s, d, bufioreq_handling, i); > if ( rc ) > + { > + set_ioreq_server(d, i, NULL); > goto fail; > + } > > if ( i == DEFAULT_IOSERVID ) > hvm_ioreq_server_enable(s); > @@ -825,8 +828,6 @@ int hvm_create_ioreq_server(struct domain *d, bool > is_default, > return 0; > > fail: > - set_ioreq_server(d, i, NULL); > - > spin_unlock_recursive(&d->arch.hvm_domain.ioreq_server.lock); > domain_unpause(d); > > -- > 2.11.0 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.