[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Two small patches related to xenfb



Rafal Wojtczuk writes ("[Xen-devel] Two small patches related to xenfb"):
> Two minor issues:
> row_stride_div0.patch: a malicious frontend can send row_stride==0 and force
> qemu-dm to perform division by 0
> vnc_resize_doublecheck.patch: there is an unchecked multiplication when
> calculating framebuffer size. Cs 17630 sanitizes framebuffer dimensions
> passed by the frontend, so most probably no integer overflow can happen, but
> there should be a check for overflow close to the actual computation (to
> make code review easier and to cope with other codepaths in the future). 

Thanks.  Your patch wasn't quite right in a couple of ways but I have
fixed it up and applied it to qemu-xen-unstable.  I'll cherry pick it
into 3.3 after I get a successful test run.

> Diffs against xen-3.2-testing.hg.

Thanks but xen-3.2 is pretty much out of our support life cycle now.
We would suggest you use 3.3 instead.

> +static int mult_overflows(int x, int y)
> +{
> +    if (x<=0 || y<=0 || x*y<=0 || x>((unsigned int)(-1))/y)

This isn't correct.
  * The use of (unsigned int)(-1) is strange; you should use INT_MAX
    (and not ~(unsigned int)0 either, as we wanted the figure for
    _signed_ overflow).
  * Multiplying x*y is undefined behaviour if it's an overflow;
    that can in theory lead the compiler to `prove' that you know
    that there is no overflow and conclude that the other tests cannot
    fail.  You should not do this test at all.  The division is
    sufficient.

> +    if (mult_overflows(w, h) || mult_overflows(w*h, vs->depth) ||
> +        mult_overflows(h, sizeof(vs->dirty_row[0])) {

Evidently you didn't compile this because it has a missing
parenthesis.

Also, you should include a Signed-Off-By line like this
    Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
except with your name and email address.  This indicates that you are
certifying the code as suitable (copyright-wise and so on) for
inclusion in Xen.  You can find the precise meaning in the Linux
upstream kernel tree (Documentation/SubmittingPatches).

In this case, and since your patch was so small, I took your message
to grant the relevant permissions.

Ian.

>From Documentation/SubmittingPatches:

        Developer's Certificate of Origin 1.1

        By making a contribution to this project, I certify that:

        (a) The contribution was created in whole or in part by me and I
            have the right to submit it under the open source license
            indicated in the file; or

        (b) The contribution is based upon previous work that, to the best
            of my knowledge, is covered under an appropriate open source
            license and I have the right under that license to submit that
            work with modifications, whether created in whole or in part
            by me, under the same open source license (unless I am
            permitted to submit under a different license), as indicated
            in the file; or

        (c) The contribution was provided directly to me by some other
            person who certified (a), (b) or (c) and I have not modified
            it.

        (d) I understand and agree that this project and the contribution
            are public and that a record of the contribution (including all
            personal information I submit with it, including my sign-off) is
            maintained indefinitely and may be redistributed consistent with
            this project or the open source license(s) involved.

-- 

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.