[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH] xen: Fix xenctl_cpumap_to_cpumask buffer size check
On 13/11/2012 10:17, "Matthew Daley" <mattjd@xxxxxxxxx> wrote: > xenctl_cpumap_to_cpumask incorrectly uses sizeof when checking whether > bits should be masked off from the input cpumap bitmap or not. > > Fix and make clearer by simply comparing the amount of bytes given in > the input cpumap to the amount actually copied; if equal, bits may need > to be masked off. > > This does not have security impact: _xmalloc never returns allocations > smaller than the size of a pointer, hence the uncorrected buffer size > check would still not allow writes to unallocated memory. > > Signed-off-by: Matthew Daley <mattjd@xxxxxxxxx> Acked-by: Keir Fraser <keir@xxxxxxx> > --- > Jan: Agreed with both of your points. Here's a v2. > > diff --git a/xen/common/domctl.c b/xen/common/domctl.c > index e153cb4..a7a6b9f 100644 > --- a/xen/common/domctl.c > +++ b/xen/common/domctl.c > @@ -78,7 +78,7 @@ int xenctl_cpumap_to_cpumask( > { > if ( copy_from_guest(bytemap, xenctl_cpumap->bitmap, copy_bytes) ) > err = -EFAULT; > - if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes <= sizeof(bytemap)) > ) > + if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes == copy_bytes) ) > bytemap[guest_bytes-1] &= ~(0xff << (xenctl_cpumap->nr_cpus & > 7)); > } > _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |