[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: New Defects reported by Coverity Scan for XenProject
- To: Jan Beulich <jbeulich@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- From: Jason Andryuk <jason.andryuk@xxxxxxx>
- Date: Wed, 24 Jun 2026 17:53:14 -0400
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=suse.com smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jhalz+7BYTdPOWbW0ONIYkoR12nFQHc/+tftpNSbEwo=; b=Qe16LhM6a1NwH9SPclW5X3vw3NF0XdOenUWZtS+zpwa3pdkx4buREJJ7wQffON4FDvjMaK4sjllBjhlmwrld0aJSRhc6G9oR0q3p8iq1FNRjBZf2L7+S+xCKd4gw/fjc0P1xWzBzisZzvEwYl2mYbhMxnrRqYv8rxXhWc9YQmwAcXxBqIHkc7bz1UsB1Tlp/7Jh3fpAAEG3R2MeB+9OIXtWaFNDrTykSmv6z2hCJ8aozW7SFGHd3A1hX0uKXZySrUKla+5FLxQPA/kMb4Nsf3WGnPUCOHLE5Dc/x7yDHjLmshxIGlzfR2ZwMpjbOeHyR/O5ngSly14nCQgE+G4VU8A==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=CwDhRcGTlagPWVD+XMrhZsowu9t8ic3CesuDa6DLsMUNHhpQK281dnjqUVDgn0cXLJVTO+aoy8bQkNKfZA2Zus1AWAyQ75e1JLGFJa8Tw0C91Ykp48auWTYrvPj6YV1uG4Rx2uVt9knuJpIaP1OIQrCqjBLbefCQP2YYMQO6sXBAj3CPV0/F8ZtM/2e6nqncyrauOxCzQlv0IPD+NUCl747xMGRG9CJ2lqBQIg2ODJ7V44tO0fD4WIHYEGbPkRAFjsZnkESzCbZ4TPjhoHtWTvaErXu/mIJuIpQ0WJ8vlrKWBzx+IJMeMjACy+MVaGmqbUeV6f8HfxMQ3U6oR3PO8g==
- Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=amd.com header.i="@amd.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"
- Cc: Juergen Gross <jgross@xxxxxxxx>, Julien Grall <julien@xxxxxxx>
- Delivery-date: Wed, 24 Jun 2026 21:53:44 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 2026-06-24 09:04, Jan Beulich wrote:
On 24.06.2026 14:33, scan-admin@xxxxxxxxxxxx wrote:
** CID 1695359: Insecure data handling (INTEGER_OVERFLOW)
/tools/xenstored/domain.c: 601 in domain_tree_remove_sub()
_____________________________________________________________________________________________
*** CID 1695359: Insecure data handling (INTEGER_OVERFLOW)
/tools/xenstored/domain.c: 601 in domain_tree_remove_sub()
595 node_changed = true;
596 }
597
598 for (i = 1; i < node->hdr.num_perms; i++) {
599 if (node->perms[i].id != domain->domid)
600 continue;
CID 1695359: Insecure data handling (INTEGER_OVERFLOW)
"8UL * (node->hdr.num_perms - i - 1U)", which might have underflowed, is passed to
"memmove(node->perms + i, node->perms + i + 1, 8UL * (node->hdr.num_perms - i - 1U))".
[Note: The source code implementation of the function has been overridden by a builtin model.]
601 memmove(node->perms + i, node->perms + i + 1,
602 sizeof(*node->perms) * (node->hdr.num_perms - i
- 1));
I'm struggling with this one: As i < node->hdr.num_perms, the last argument
passed to memmove() can be 0, but I can't see potential for underflow.
This gave me pause on my initial review. On the final iteration,
node->perms + i + 1 will point past the end of the allocation, but as
you say the size would be 0. I originally considered suggesting a check
and then decided it was unnecessary because of the 0.
Regards,
Jason
|
