[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[win-pv-devel] [PATCH] Zero blkif ring before use



From: Owen Smith <owen.smith@xxxxxxxxxx>

Also resets blkif ring's counters before freeing, as a safety measure
for use-after-free attempting to access ring data.

Signed-off-by: Owen Smith <owen.smith@xxxxxxxxxx>
---
 src/xenvbd/blockring.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/xenvbd/blockring.c b/src/xenvbd/blockring.c
index 7cf5c84..416424d 100644
--- a/src/xenvbd/blockring.c
+++ b/src/xenvbd/blockring.c
@@ -304,6 +304,7 @@ BlockRingConnect(
     if (BlockRing->SharedRing == NULL)
         goto fail2;
 
+    RtlZeroMemory(BlockRing->SharedRing, (SIZE_T)PAGE_SIZE << 
BlockRing->Order);
 #pragma warning(push)
 #pragma warning(disable: 4305)
 #pragma warning(disable: 4311)
@@ -443,6 +444,11 @@ BlockRingDisconnect(
     }
 
     RtlZeroMemory(&BlockRing->FrontRing, sizeof(BlockRing->FrontRing));
+#pragma warning(push)
+#pragma warning(disable: 4305)
+#pragma warning(disable: 4311)
+    SHARED_RING_INIT(BlockRing->SharedRing);
+#pragma warning(pop)
     __FreePages(BlockRing->SharedRing, BlockRing->Mdl);
     BlockRing->SharedRing = NULL;
     BlockRing->Mdl = NULL;
-- 
2.8.3


_______________________________________________
win-pv-devel mailing list
win-pv-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/cgi-bin/mailman/listinfo/win-pv-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.