[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 04/28] libxl: fix libxl_string_list_length and its only caller

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
From: Matthew Daley <mattjd@xxxxxxxxx>
Date: Fri, 27 Sep 2013 12:46:05 +1200
Cc: Ian Campbell <ian.campbell@xxxxxxxxxx>, Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>, David Vrabel <david.vrabel@xxxxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>
Delivery-date: Fri, 27 Sep 2013 00:46:44 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Fri, Sep 27, 2013 at 7:37 AM, Andrew Cooper
<andrew.cooper3@xxxxxxxxxx> wrote:
> On 26/09/13 20:29, Boris Ostrovsky wrote:
>> On 09/17/2013 11:37 PM, Matthew Daley wrote:
>>> The wrong amount of indirections were being taken in
>>> libxl_string_list_length, and its only caller was miscounting the amount
>>> of initial non-list arguments, seemingly since the initial commit
>>> (599c784).
>>>
>>> This has been seen and reported in the wild (##xen):
>>> < Trixboxer> Hi, any idea why would I get
>>> < Trixboxer> xl: libxl_bootloader.c:42: bootloader_arg: Assertion
>>> `bl->nargs < bl->argsspace' failed.
>>> < Trixboxer> 4.2.2-23.el6
>>>
>>> Coverity-ID: 1054954
>>> Signed-off-by: Matthew Daley<mattjd@xxxxxxxxx>
>>> ---
>>>   tools/libxl/libxl.c            |    2 +-
>>>   tools/libxl/libxl_bootloader.c |    2 +-
>>>   2 files changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
>>> index 0879f23..ca24ca3 100644
>>> --- a/tools/libxl/libxl.c
>>> +++ b/tools/libxl/libxl.c
>>> @@ -202,7 +202,7 @@ int libxl_string_list_length(const
>>> libxl_string_list *psl)
>>>   {
>>>       if (!psl) return 0;
>>
>> This should be
>>     if (!psl || !(*psl)) return 0;
>>
>> We segfault otherwise at the changed line below if no arguments are
>> passed to the bootloader (as is the case with pvgrub).
>>
>>>       int i = 0;
>>> -    while (*psl++) i++;
>>> +    while ((*psl)[i]) i++;
>>>       return i;
>>>   }
>>
>> (I am surprised Coverity didn't flag this)
>>
>> -boris
>
> For this bug, Coveritys specific objection was that the caller passes a
> singleton pointer into this function, and this function uses it as an
> array.  This is a side effect of using the wrong indirection.

Also, we don't have automated scanning set up yet, and this patch is
still in staging anyway.

>
> However, your spot of the crash is good, and needs fixing as well.

Indeed, I'll send out a patch.

- Matthew

>
> ~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] [PATCH 00/28] Fixes for various minor Coverity issues, volume 2
  - From: Matthew Daley
- [Xen-devel] [PATCH 04/28] libxl: fix libxl_string_list_length and its only caller
  - From: Matthew Daley
- Re: [Xen-devel] [PATCH 04/28] libxl: fix libxl_string_list_length and its only caller
  - From: Boris Ostrovsky
- Re: [Xen-devel] [PATCH 04/28] libxl: fix libxl_string_list_length and its only caller
  - From: Andrew Cooper

Prev by Date: Re: [Xen-devel] [RFC 0 PATCH 3/3] PVH dom0: construct_dom0 changes
Next by Date: [Xen-devel] [PATCH] microcode: Scan the multiboot payloads for cpio format microcode blob. (v3.3)
Previous by thread: Re: [Xen-devel] [PATCH 04/28] libxl: fix libxl_string_list_length and its only caller
Next by thread: [Xen-devel] [PATCH 05/28] libxl: fix dispose without init of disk in cd_insert
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.