[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.21] llc-coloring: improve checking while parsing

commit c9ba169b934d1e4cd733cfb23b48bace040cd097
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Mon Apr 20 12:25:55 2026 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Mon Apr 20 12:25:55 2026 +0200

    llc-coloring: improve checking while parsing
    
    We can easily avoid the risk of wrapping UINT_MAX <-> 0 by applying a
    check against the compile-time-constant maximum number of colors.
    
    Additionally the overflow checks suffered from an off-by-1, as the parsed
    ranges are inclusive (e.g. end == start being possible, requiring 1 array
    slot, while availability of 0 slots was checked in that case).
    
    Fixes: 6cdea3444eaf ("xen/arm: add Dom0 cache coloring support")
    Reported-by: Mykola Kvach <xakep.amatop@xxxxxxxxx>
    Reported-by: Kamil Frankowicz <kamil.frankowicz@xxxxxxx>
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Acked-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    
    xen/common: llc-coloring: Fix off-by-one in parse_color_config()
    
    The check uses (*num_colors + (end - start + 1)) >= max_num_colors, which
    rejects a configuration where exactly max_num_colors colors are specified.
    For example, if max_num_colors is 4 and *num_colors is 0, a range "0-3"
    gives (end - start + 1) = 4, and (0 + 4) >= 4 is true, incorrectly
    returning -EINVAL.
    
    Fix this by switching the overflow condition to the state before commit
    cba8a584de17 that regressed the behavior (i.e. don't add 1).
    
    Fixes: cba8a584de17 ("llc-coloring: improve checking while parsing")
    Signed-off-by: Michal Orzel <michal.orzel@xxxxxxx>
    Reviewed-by: Luca Fancellu <luca.fancellu@xxxxxxx>
    master commit: cba8a584de171c8c4510709c2edc9f1cf86b21ab
    master date: 2026-04-07 13:52:44 +0200
    master commit: dc28f531e6a29a6fdd58f24073dfb48af06b8334
    master date: 2026-04-10 12:14:05 +0200
---
 xen/common/llc-coloring.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/xen/common/llc-coloring.c b/xen/common/llc-coloring.c
index 77a54beed1..bc79730656 100644
--- a/xen/common/llc-coloring.c
+++ b/xen/common/llc-coloring.c
@@ -76,7 +76,8 @@ static int __init parse_color_config(const char *buf, 
unsigned int colors[],
         else                /* Single value */
             end = start;
 
-        if ( start > end || (end - start) > (UINT_MAX - *num_colors) ||
+        if ( end >= NR_LLC_COLORS || start > end ||
+             (end - start) >= (UINT_MAX - *num_colors) ||
              (*num_colors + (end - start)) >= max_num_colors )
             return -EINVAL;
 
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.21

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.