[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: A possible pointer_overflow in xen-4.13
- To: Rroach <2284696125@xxxxxx>
- From: Jan Beulich <jbeulich@xxxxxxxx>
- Date: Wed, 7 Jul 2021 17:59:35 +0200
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cwTAhm/zOhX+bPlP8KYW1EGlb9P7+x6ck8dBRYjYbGU=; b=jpcPV2stzGOMwqHInVyFitfusWC7PUWa937f8NbDqM7SGupv5AyG5cjd+HhWGaWWXK/Ym86FUckaH2EcXyvicjWUTxMZMTJj2khX4IMXWFfZl0Lin9pFgDcqKVxEeAvWCE59PLvABu0WNwRL9wi0+giUs0c1v/H3RGyogfgdzMzp7VgguUqEKueJZAD9Tp3eHVW86E3Rimpxsl+cKl2eEvnZBh4ATb74PdcXM/Vh7c3lEcjGZ/BiCmjDpHHHZuWxwSskiiQ8fHLe4/h/sEAWFom9BW398z43pTQ43iiQo8rIANx4Xo3wyM/t7tt2OkTdOkLPOG+O6ekxKVL/wGJDvg==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dHwefZvlAC6k/XYrDG4OwsiIsFNKtG988+IQau1Vv7Ny55fZxsjW4tFhsqFdZSbuVAo6LtcXnY7yy41EqY0FCgHW24RIq/JetKPgGcIfx7ho8ZuABN7NxCIlZUDamNjyVZYVs7DatcUSzislYsUCgnpiP8LyYIga6XQa8XIj+pEERU7XWvZr9rvxKpoxmKqfNEJJOSbZvcJzbEH6e5HXNOEdcMQ6nHV9LnUDRf4s4Wk7fFe45Gz7ebxbeLKgMrR1kgiblFQMQiTUhBdnJ9acb5SuCGrCl6hZuulwitEVb3ih038wBMJn4BYpqrqFXAARAX3JGmkMQGT8XXWweeSTag==
- Authentication-results: lists.xenproject.org; dkim=none (message not signed) header.d=none;lists.xenproject.org; dmarc=none action=none header.from=suse.com;
- Cc: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- Delivery-date: Wed, 07 Jul 2021 15:59:44 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 07.07.2021 17:54, Rroach wrote:
> Hi, sorry about the late respond. I tried your suggestion, it works. I'm kind
> of surprised too, since such problem should exposed long time ago.
>
>
> I looked deep into your suggestion. I believe you were right about it, since
> p - ctxt->io_emul_stub won't overflow and the pointer overflow is
> likely to happen in stub_va + p
> or ctxt->io_emul_stub.
>
>
> Andrew's suggestion works perhaps it the long variable allows the expression
> to store more bytes,
Xen (as much as e.g. Linux and I think most other Unix-es) assumes sizeof(void*)
and sizeof(long) to be the same.
> however in long term it may not be a solid solution. So alternative should we
> take both of the advise that using
> + long disp = (long)(f) - (long)(stub_va + (p - ctxt->io_emul_stub)
> + 5); \
> as a fix patch
I don't think so - we try to avoid casts wherever they're not strictly needed.
Btw, to record you in an eventual patch with a Reported-by, would you mind
providing your real name and maybe a less temporary-looking email address?
Jan
|