|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 1/2] libxc: Check full range of pfns for xc_dom_pfn_to_ptr
# HG changeset patch
# User Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
# Date 1265130967 0
# Node ID 5fc5ee3e3530d38a21d00b4ec2d559b47a23cf07
# Parent 72c359823655427fed7418f0a1cdd39d496ec571
libxc: Check full range of pfns for xc_dom_pfn_to_ptr
Previously, passing a valid pfn but an overly large count to
xc_dom_pfn_to_ptr, and functions which call it, would run off the end
of the pfn array giving undefined behaviour.
It is tempting to change this check to an assert, as no callers should
be providing invalid parameters here. But this is probably best not
done while frozen for 4.0.
Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
diff -r 72c359823655 -r 5fc5ee3e3530 tools/libxc/xc_dom_core.c
--- a/tools/libxc/xc_dom_core.c Tue Feb 02 15:47:36 2010 +0000
+++ b/tools/libxc/xc_dom_core.c Tue Feb 02 17:16:07 2010 +0000
@@ -288,7 +288,9 @@
unsigned int page_shift = XC_DOM_PAGE_SHIFT(dom);
char *mode = "unset";
- if ( pfn > dom->total_pages )
+ if ( pfn > dom->total_pages || /* multiple checks to avoid overflows */
+ count > dom->total_pages ||
+ pfn > dom->total_pages - count )
{
xc_dom_printf("%s: pfn out of range (0x%" PRIpfn " > 0x%" PRIpfn ")\n",
__FUNCTION__, pfn, dom->total_pages);
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |