|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH] xen: Fix xenctl_cpumap_to_cpumask buffer size check
On 13/11/2012 10:17, "Matthew Daley" <mattjd@xxxxxxxxx> wrote:
> xenctl_cpumap_to_cpumask incorrectly uses sizeof when checking whether
> bits should be masked off from the input cpumap bitmap or not.
>
> Fix and make clearer by simply comparing the amount of bytes given in
> the input cpumap to the amount actually copied; if equal, bits may need
> to be masked off.
>
> This does not have security impact: _xmalloc never returns allocations
> smaller than the size of a pointer, hence the uncorrected buffer size
> check would still not allow writes to unallocated memory.
>
> Signed-off-by: Matthew Daley <mattjd@xxxxxxxxx>
Acked-by: Keir Fraser <keir@xxxxxxx>
> ---
> Jan: Agreed with both of your points. Here's a v2.
>
> diff --git a/xen/common/domctl.c b/xen/common/domctl.c
> index e153cb4..a7a6b9f 100644
> --- a/xen/common/domctl.c
> +++ b/xen/common/domctl.c
> @@ -78,7 +78,7 @@ int xenctl_cpumap_to_cpumask(
> {
> if ( copy_from_guest(bytemap, xenctl_cpumap->bitmap, copy_bytes) )
> err = -EFAULT;
> - if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes <= sizeof(bytemap))
> )
> + if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes == copy_bytes) )
> bytemap[guest_bytes-1] &= ~(0xff << (xenctl_cpumap->nr_cpus &
> 7));
> }
>
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |