[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v23 1/2] common: add a new mappable resource type: XENMEM_resource_grant_table

To: "Paul Durrant" <paul.durrant@xxxxxxxxxx>
From: "Jan Beulich" <JBeulich@xxxxxxxx>
Date: Thu, 09 Aug 2018 04:23:37 -0600
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
Delivery-date: Thu, 09 Aug 2018 10:23:43 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

>>> On 09.08.18 at 11:59, <paul.durrant@xxxxxxxxxx> wrote:
> +static int gnttab_get_status_frame_mfn(struct domain *d,
> +                                       unsigned long idx, mfn_t *mfn)
> +{
> +    const struct grant_table *gt = d->grant_table;
> +
> +    ASSERT(gt->gt_version == 2);
> +
> +    if ( idx >= nr_status_frames(gt) )
> +    {
> +        unsigned long nr_status;
> +        unsigned long nr_grant;
> +
> +        nr_status = idx + 1; /* sufficient frames to make idx valid */
> +
> +        if ( nr_status <= nr_status_frames(gt) ) /* overflow check */
> +            return -EINVAL;

Still pretty odd a check, even if now at least correct. Why not simply
check nr_status to be zero? Let me know if you're fine with me making
this adjustment while committing:
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>

That said though - idx being -1UL is not really "invalid". In an abstract
world it simply means a fully populated table of maximum size. But of
course the table can't grow this large in practice, because each entry
is more than one byte (i.e. we'd still get -EINVAL further down).

> +        nr_grant = status_to_grant_frames(nr_status);

Irrespective of the R-b above: This is the real source of possible
overflows, as here nr_status gets multiplied by a value larger than 1.
I therefore wonder whether it wouldn't be better to check here
that the reverse translation yields nr_status again. Once again I'd
be fine adding this while committing, provided you agree.

Otoh I'm not convinced all this overflow checking does much good
here anyway: Anyone setting the maximum table size so absurdly
high that this would start to matter is going to have bigger trouble
anyway afaict.

Jan

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH v23 1/2] common: add a new mappable resource type: XENMEM_resource_grant_table
  - From: Paul Durrant

References:
- [Xen-devel] [PATCH v23 0/2] guest resource mapping (reprise)
  - From: Paul Durrant
- [Xen-devel] [PATCH v23 1/2] common: add a new mappable resource type: XENMEM_resource_grant_table
  - From: Paul Durrant

Prev by Date: Re: [Xen-devel] [PATCH v4 4/4] x86/iommu: add reserved dom0-iommu option to map reserved memory ranges
Next by Date: [Xen-devel] [xen-4.9-testing test] 125799: regressions - trouble: blocked/broken/fail/pass
Previous by thread: [Xen-devel] [PATCH v23 1/2] common: add a new mappable resource type: XENMEM_resource_grant_table
Next by thread: Re: [Xen-devel] [PATCH v23 1/2] common: add a new mappable resource type: XENMEM_resource_grant_table
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.