[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A possible pointer_overflow in xen-4.13


  • To: Rroach <2284696125@xxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Wed, 7 Jul 2021 17:59:35 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cwTAhm/zOhX+bPlP8KYW1EGlb9P7+x6ck8dBRYjYbGU=; b=jpcPV2stzGOMwqHInVyFitfusWC7PUWa937f8NbDqM7SGupv5AyG5cjd+HhWGaWWXK/Ym86FUckaH2EcXyvicjWUTxMZMTJj2khX4IMXWFfZl0Lin9pFgDcqKVxEeAvWCE59PLvABu0WNwRL9wi0+giUs0c1v/H3RGyogfgdzMzp7VgguUqEKueJZAD9Tp3eHVW86E3Rimpxsl+cKl2eEvnZBh4ATb74PdcXM/Vh7c3lEcjGZ/BiCmjDpHHHZuWxwSskiiQ8fHLe4/h/sEAWFom9BW398z43pTQ43iiQo8rIANx4Xo3wyM/t7tt2OkTdOkLPOG+O6ekxKVL/wGJDvg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dHwefZvlAC6k/XYrDG4OwsiIsFNKtG988+IQau1Vv7Ny55fZxsjW4tFhsqFdZSbuVAo6LtcXnY7yy41EqY0FCgHW24RIq/JetKPgGcIfx7ho8ZuABN7NxCIlZUDamNjyVZYVs7DatcUSzislYsUCgnpiP8LyYIga6XQa8XIj+pEERU7XWvZr9rvxKpoxmKqfNEJJOSbZvcJzbEH6e5HXNOEdcMQ6nHV9LnUDRf4s4Wk7fFe45Gz7ebxbeLKgMrR1kgiblFQMQiTUhBdnJ9acb5SuCGrCl6hZuulwitEVb3ih038wBMJn4BYpqrqFXAARAX3JGmkMQGT8XXWweeSTag==
  • Authentication-results: lists.xenproject.org; dkim=none (message not signed) header.d=none;lists.xenproject.org; dmarc=none action=none header.from=suse.com;
  • Cc: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Wed, 07 Jul 2021 15:59:44 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 07.07.2021 17:54, Rroach wrote:
> Hi, sorry about the late respond. I tried your suggestion, it works. I'm kind 
> of surprised too, since such problem should exposed long time ago.&nbsp;
> 
> 
> I looked deep into your suggestion. I believe you were right about it, since 
> p - ctxt-&gt;io_emul_stub &nbsp;won't overflow and the pointer overflow is 
> likely to happen &nbsp;in&nbsp;&nbsp;stub_va + p 
> or&nbsp;ctxt-&gt;io_emul_stub.&nbsp;
> 
> 
> Andrew's suggestion works perhaps it the long variable allows the expression 
> to store more bytes,

Xen (as much as e.g. Linux and I think most other Unix-es) assumes sizeof(void*)
and sizeof(long) to be the same.

> however in long term it may not be a solid solution. So alternative should we 
> take both of the advise that using
> + &nbsp; long disp = (long)(f) - (long)(stub_va + (p - ctxt-&gt;io_emul_stub) 
> + 5); \
> as a fix patch

I don't think so - we try to avoid casts wherever they're not strictly needed.

Btw, to record you in an eventual patch with a Reported-by, would you mind
providing your real name and maybe a less temporary-looking email address?

Jan




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.