[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] xen: Fix xenctl_cpumap_to_cpumask buffer size check


  • To: Matthew Daley <mattjd@xxxxxxxxx>, <JBeulich@xxxxxxxx>
  • From: Keir Fraser <keir@xxxxxxx>
  • Date: Tue, 13 Nov 2012 10:58:12 +0000
  • Cc: xen-devel@xxxxxxxxxxxxx
  • Delivery-date: Tue, 13 Nov 2012 10:58:30 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xen.org>
  • Thread-index: Ac3BjcX/rN9pMum9Ikqv6SvyR9c2YQ==
  • Thread-topic: [Xen-devel] [PATCH] xen: Fix xenctl_cpumap_to_cpumask buffer size check

On 13/11/2012 10:17, "Matthew Daley" <mattjd@xxxxxxxxx> wrote:

> xenctl_cpumap_to_cpumask incorrectly uses sizeof when checking whether
> bits should be masked off from the input cpumap bitmap or not.
> 
> Fix and make clearer by simply comparing the amount of bytes given in
> the input cpumap to the amount actually copied; if equal, bits may need
> to be masked off.
> 
> This does not have security impact: _xmalloc never returns allocations
> smaller than the size of a pointer, hence the uncorrected buffer size
> check would still not allow writes to unallocated memory.
> 
> Signed-off-by: Matthew Daley <mattjd@xxxxxxxxx>

Acked-by: Keir Fraser <keir@xxxxxxx>

> ---
> Jan: Agreed with both of your points. Here's a v2.
> 
> diff --git a/xen/common/domctl.c b/xen/common/domctl.c
> index e153cb4..a7a6b9f 100644
> --- a/xen/common/domctl.c
> +++ b/xen/common/domctl.c
> @@ -78,7 +78,7 @@ int xenctl_cpumap_to_cpumask(
>      {
>          if ( copy_from_guest(bytemap, xenctl_cpumap->bitmap, copy_bytes) )
>              err = -EFAULT;
> -        if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes <= sizeof(bytemap))
> )
> +        if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes == copy_bytes) )
>              bytemap[guest_bytes-1] &= ~(0xff << (xenctl_cpumap->nr_cpus &
> 7));
>      }
>  



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.