[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen master] xen/arm: Correctly handle non-page aligned pointer in raw_copy_from_guest

commit 4959e0eacf56456a4b16d59e98cec58f7c2d66be
Author:     Julien Grall <julien.grall@xxxxxxxxxx>
AuthorDate: Tue Feb 18 16:56:17 2014 +0000
Commit:     Ian Campbell <ian.campbell@xxxxxxxxxx>
CommitDate: Tue Feb 18 17:33:49 2014 +0000

    xen/arm: Correctly handle non-page aligned pointer in raw_copy_from_guest
    
    The current implementation of raw_copy_guest helper may lead to data 
corruption
    and sometimes Xen crash when the guest virtual address is not aligned to
    PAGE_SIZE.
    
    When the total length is higher than a page, the length to read is badly
    compute with
        min(len, (unsigned)(PAGE_SIZE - offset))
    
    As the offset is only computed one time per function, if the start address 
was
    not aligned to PAGE_SIZE, we can end up in same iteration:
        - to read accross page boundary => xen crash
        - read the previous page => data corruption
    
    This issue can be resolved by setting offset to 0 at the end of the first
    iteration. Indeed, after it, the virtual guest address is always aligned
    to PAGE_SIZE.
    
    Signed-off-by: Julien Grall <julien.grall@xxxxxxxxxx>
    Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
    Cc: George Dunlap <george.dunlap@xxxxxxxxxx>
    [ ijc -- duplicated the comment in the other two functions with this 
behaviour ]
---
 xen/arch/arm/guestcopy.c |   13 +++++++++++++
 1 files changed, 13 insertions(+), 0 deletions(-)

diff --git a/xen/arch/arm/guestcopy.c b/xen/arch/arm/guestcopy.c
index af0af6b..cea5f97 100644
--- a/xen/arch/arm/guestcopy.c
+++ b/xen/arch/arm/guestcopy.c
@@ -30,6 +30,10 @@ static unsigned long raw_copy_to_guest_helper(void *to, 
const void *from,
         len -= size;
         from += size;
         to += size;
+        /*
+         * After the first iteration, guest virtual address is correctly
+         * aligned to PAGE_SIZE.
+         */
         offset = 0;
     }
 
@@ -68,6 +72,10 @@ unsigned long raw_clear_guest(void *to, unsigned len)
         unmap_domain_page(p - offset);
         len -= size;
         to += size;
+        /*
+         * After the first iteration, guest virtual address is correctly
+         * aligned to PAGE_SIZE.
+         */
         offset = 0;
     }
 
@@ -96,6 +104,11 @@ unsigned long raw_copy_from_guest(void *to, const void 
__user *from, unsigned le
         len -= size;
         from += size;
         to += size;
+        /*
+         * After the first iteration, guest virtual address is correctly
+         * aligned to PAGE_SIZE.
+         */
+        offset = 0;
     }
     return 0;
 }
--
generated by git-patchbot for /home/xen/git/xen.git#master

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.