Xen project Mailing List

Re: [PATCH 2/5] llc-coloring: improve checking while parsing

From: Mykola Kvach <xakep.amatop@xxxxxxxxx>

Date: Tue, 24 Mar 2026 18:51:03 +0200

Arc-authentication-results: i=1; mx.google.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=NIbM3vXcIWf1SnXsthNSF6HQboFq04VNp1Ij5u/rO4c=; fh=SmKtTP+//FoTguQaCWAbd7P0/DDZIbvi8at9iFw3jIU=; b=ZyYUpCt5w4tp9pg9RzD4g9p4QsTugrZzUdiJnpcjl+Aqx3MwWYaWP7Nmpoo5vXrv+0 b8HEySmLYw/NLTfxAtKTd3qtju4e0aQwtsyTHQPzjfb6AOx8lyOYWfMaKguHvltR7XDI PcoTCJCNR3YRMOc/bW9sUOF6OgsA975Ce7vtZdO9foZrhqdqJwtyK0fMh5zGdY5DHBrM UaDer1UiO2Su+XVHovOxm6O2WLgnYGm6WuJ0RpIvQpoo4dI7Cb10+93EYyuPavSxKcn1 0Zw4zSjR6sxaqFEFVPQcx3qgIrH8Vcz1831tpTa4LBR3DP2kNX+MTtZMo9/412m7Gkh4 CGaw==; darn=lists.xenproject.org

Arc-seal: i=1; a=rsa-sha256; t=1774371075; cv=none; d=google.com; s=arc-20240605; b=IgoiThrMJ5Z6SnmaaCXARBAvVgILNXHlKxrTCNZ2D5MYt2+lguJLLExq38JroBRSz6 bk/C/MbyNTgpBhbSt/icsTleXb4+6Gs18iaGVJY42+0bb4dIQzmQl2jyiWDXNm7Z82mk YOnhkkxx1LYAVgyrUxlgYhoWNeXBWHJPsSDY1360XZVpiu9QfwX/fQ6y2FpMdeorun+K +HIZx8uRSIPitYAqH3JIOY6RAGMZuI+Q97GlaAs5+1AvgE/nivcrNv6JbM1u6Ja6wYIT iB8XzTXOYRpMeDhZh7YeKFYeNRq+nTAMuYFY39SDkyJ+y0ca0G3B02uCoKe89z/63927 9Mjw==

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=20251104 header.d=gmail.com header.i="@gmail.com" header.h="Content-Transfer-Encoding:Cc:To:Subject:Message-ID:Date:From:In-Reply-To:References:MIME-Version"

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Kamil Frankowicz <kamil.frankowicz@xxxxxxx>

Delivery-date: Tue, 24 Mar 2026 16:51:26 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Tue, Mar 24, 2026 at 6:37 PM Jan Beulich <jbeulich@xxxxxxxx> wrote: > > We can easily avoid the risk of wrapping UINT_MAX <-> 0 by applying a > check against the compile-time-constant maximum number of colors. > > Additionally the overflow checks suffered from an off-by-1, as the parsed > ranges are inclusive (e.g. end == start being possible, requiring 1 array > slot, while availability of 0 slots was checked in that case). > > Fixes: 6cdea3444eaf ("xen/arm: add Dom0 cache coloring support") > Reported-by: Kamil Frankowicz <kamil.frankowicz@xxxxxxx> For reference, I previously reported the UINT_MAX wraparound aspect here [1] and later also here [2]. The off-by-1 in the inclusive-range accounting looks like a separate issue. Those threads also mention a few other related corner cases. Best regards, Mykola [1] https://patchew.org/Xen/20241217170637.233097-1-carlo.nonato@xxxxxxxxxxxxxxx/20241217170637.233097-5-carlo.nonato@xxxxxxxxxxxxxxx/#db5d6a67-61d9-48d3-b6c4-213c1cbbda21@xxxxxxxxx [2] https://lists.xen.org/archives/html/xen-devel/2026-01/msg00369.html > Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> > > --- a/xen/common/llc-coloring.c > +++ b/xen/common/llc-coloring.c > @@ -76,8 +76,9 @@ static int __init parse_color_config(con > else /* Single value */ > end = start; > > - if ( start > end || (end - start) > (UINT_MAX - *num_colors) || > - (*num_colors + (end - start)) >= max_num_colors ) > + if ( end >= NR_LLC_COLORS || start > end || > + (end - start) >= (UINT_MAX - *num_colors) || > + (*num_colors + (end - start + 1)) >= max_num_colors ) > return -EINVAL; > > /* Colors are range checked in check_colors() */ > >

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.