[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH] xen: Fix xenctl_cpumap_to_cpumask buffer size check



xenctl_cpumap_to_cpumask incorrectly uses sizeof when checking whether
bits should be masked off from the input cpumap bitmap or not.

Fix and make clearer by simply comparing the amount of bytes given in
the input cpumap to the amount actually copied; if equal, bits may need
to be masked off.

This does not have security impact: _xmalloc never returns allocations
smaller than the size of a pointer, hence the uncorrected buffer size
check would still not allow writes to unallocated memory.

Signed-off-by: Matthew Daley <mattjd@xxxxxxxxx>
---
Jan: Agreed with both of your points. Here's a v2.

diff --git a/xen/common/domctl.c b/xen/common/domctl.c
index e153cb4..a7a6b9f 100644
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -78,7 +78,7 @@ int xenctl_cpumap_to_cpumask(
     {
         if ( copy_from_guest(bytemap, xenctl_cpumap->bitmap, copy_bytes) )
             err = -EFAULT;
-        if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes <= sizeof(bytemap)) )
+        if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes == copy_bytes) )
             bytemap[guest_bytes-1] &= ~(0xff << (xenctl_cpumap->nr_cpus & 7));
     }
 
-- 
1.7.10.4


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.