[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH] xen: Fix xenctl_cpumap_to_cpumask buffer size check
xenctl_cpumap_to_cpumask incorrectly uses sizeof when checking whether bits should be masked off from the input cpumap bitmap or not. Fix and make clearer by simply comparing the amount of bytes given in the input cpumap to the amount actually copied; if equal, bits may need to be masked off. This does not have security impact: _xmalloc never returns allocations smaller than the size of a pointer, hence the uncorrected buffer size check would still not allow writes to unallocated memory. Signed-off-by: Matthew Daley <mattjd@xxxxxxxxx> --- Jan: Agreed with both of your points. Here's a v2. diff --git a/xen/common/domctl.c b/xen/common/domctl.c index e153cb4..a7a6b9f 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -78,7 +78,7 @@ int xenctl_cpumap_to_cpumask( { if ( copy_from_guest(bytemap, xenctl_cpumap->bitmap, copy_bytes) ) err = -EFAULT; - if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes <= sizeof(bytemap)) ) + if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes == copy_bytes) ) bytemap[guest_bytes-1] &= ~(0xff << (xenctl_cpumap->nr_cpus & 7)); } -- 1.7.10.4 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |