[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 6/6] domctl/vNUMA: avoid arithmetic overflow

To: Jan Beulich <jbeulich@xxxxxxxx>
From: Wei Liu <wl@xxxxxxx>
Date: Wed, 5 Feb 2020 15:13:41 +0000
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Wei Liu <wl@xxxxxxx>, Konrad Wilk <konrad.wilk@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ilja Van Sprundel <ivansprundel@xxxxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
Delivery-date: Wed, 05 Feb 2020 15:14:02 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Wed, Feb 05, 2020 at 02:17:02PM +0100, Jan Beulich wrote:
> Checking the result of a multiplication against a certain limit has no
> sufficient implication on the original value's range. In the case here
> it is in particular problematic that while handling the domctl we do
> 
>     if ( copy_from_guest(info->vdistance, uinfo->vdistance,
>                          nr_vnodes * nr_vnodes) )
>         goto vnuma_fail;
> 
> which means copying sizeof(unsigned int) * (nr_vnodes * nr_vnodes)
> bytes, and the handling of XENMEM_get_vnumainfo similarly has
> 
>         tmp.vdistance = xmalloc_array(unsigned int, dom_vnodes * dom_vnodes);
> 
> which means allocating sizeof(unsigned int) * (dom_vnodes * dom_vnodes)
> bytes, whereas in then goes on doing this:
> 
>         memcpy(tmp.vdistance, d->vnuma->vdistance,
>                sizeof(*d->vnuma->vdistance) * dom_vnodes * dom_vnodes);
> 
> Note the lack of parentheses in the multiplication expression.
> 
> Adjust the overflow check, moving the must-not-be-zero one right next to
> it to avoid questions on whether there might be division by zero.
> 
> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>

Reviewed-by: Wei Liu <wl@xxxxxxx>

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

References:
- [Xen-devel] [PATCH 0/6] misc hardening and some cleanup
  - From: Jan Beulich
- [Xen-devel] [PATCH 6/6] domctl/vNUMA: avoid arithmetic overflow
  - From: Jan Beulich

Prev by Date: Re: [Xen-devel] [PATCH v7 05/10] x86/hyperv: setup hypercall page
Next by Date: Re: [Xen-devel] [PATCH v2 00/14] Convert cpu_up/down to device_online/offline
Previous by thread: [Xen-devel] [PATCH 6/6] domctl/vNUMA: avoid arithmetic overflow
Next by thread: Re: [Xen-devel] [PATCH 0/6] misc hardening and some cleanup
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.