[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 04/28] libxl: fix libxl_string_list_length and its only caller

To: Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>
From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Date: Thu, 26 Sep 2013 20:37:15 +0100
Cc: Ian Campbell <ian.campbell@xxxxxxxxxx>, Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>, Matthew Daley <mattjd@xxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxx, David Vrabel <david.vrabel@xxxxxxxxxx>
Delivery-date: Thu, 26 Sep 2013 19:37:43 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 26/09/13 20:29, Boris Ostrovsky wrote:
> On 09/17/2013 11:37 PM, Matthew Daley wrote:
>> The wrong amount of indirections were being taken in
>> libxl_string_list_length, and its only caller was miscounting the amount
>> of initial non-list arguments, seemingly since the initial commit
>> (599c784).
>>
>> This has been seen and reported in the wild (##xen):
>> < Trixboxer> Hi, any idea why would I get
>> < Trixboxer> xl: libxl_bootloader.c:42: bootloader_arg: Assertion
>> `bl->nargs < bl->argsspace' failed.
>> < Trixboxer> 4.2.2-23.el6
>>
>> Coverity-ID: 1054954
>> Signed-off-by: Matthew Daley<mattjd@xxxxxxxxx>
>> ---
>>   tools/libxl/libxl.c            |    2 +-
>>   tools/libxl/libxl_bootloader.c |    2 +-
>>   2 files changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
>> index 0879f23..ca24ca3 100644
>> --- a/tools/libxl/libxl.c
>> +++ b/tools/libxl/libxl.c
>> @@ -202,7 +202,7 @@ int libxl_string_list_length(const
>> libxl_string_list *psl)
>>   {
>>       if (!psl) return 0;
>
> This should be
>     if (!psl || !(*psl)) return 0;
>
> We segfault otherwise at the changed line below if no arguments are
> passed to the bootloader (as is the case with pvgrub).
>
>>       int i = 0;
>> -    while (*psl++) i++;
>> +    while ((*psl)[i]) i++;
>>       return i;
>>   }
>
> (I am surprised Coverity didn't flag this)
>
> -boris

For this bug, Coveritys specific objection was that the caller passes a
singleton pointer into this function, and this function uses it as an
array.  This is a side effect of using the wrong indirection.

However, your spot of the crash is good, and needs fixing as well.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH 04/28] libxl: fix libxl_string_list_length and its only caller
  - From: Matthew Daley

References:
- [Xen-devel] [PATCH 00/28] Fixes for various minor Coverity issues, volume 2
  - From: Matthew Daley
- [Xen-devel] [PATCH 04/28] libxl: fix libxl_string_list_length and its only caller
  - From: Matthew Daley
- Re: [Xen-devel] [PATCH 04/28] libxl: fix libxl_string_list_length and its only caller
  - From: Boris Ostrovsky

Prev by Date: Re: [Xen-devel] [PATCH 04/28] libxl: fix libxl_string_list_length and its only caller
Next by Date: Re: [Xen-devel] GPU passthrough issue when VM is configured with 4G memory / Xen 4.4
Previous by thread: Re: [Xen-devel] [PATCH 04/28] libxl: fix libxl_string_list_length and its only caller
Next by thread: Re: [Xen-devel] [PATCH 04/28] libxl: fix libxl_string_list_length and its only caller
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.