[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH] x86/hvm: avoid potential NULL pointer dereferences

Coverity flagged that hvm_next_io_handler() will return NULL after
calling domain_crash() and this will then lead to NULL pointer
dereferences in calling functions.

This patch checks for NULL in the callers and bails in that case.

Signed-off-by: Paul Durrant <paul.durrant@xxxxxxxxxx>
Cc: Keir Fraser <keir@xxxxxxx>
Cc: Jan Beulich <jbeulich@xxxxxxxx>
Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
 xen/arch/x86/hvm/intercept.c |    6 ++++++
 xen/arch/x86/hvm/io.c        |    3 +++
 xen/arch/x86/hvm/stdvga.c    |    4 ++++
 3 files changed, 13 insertions(+)

diff --git a/xen/arch/x86/hvm/intercept.c b/xen/arch/x86/hvm/intercept.c
index 19edd41..08a4e73 100644
--- a/xen/arch/x86/hvm/intercept.c
+++ b/xen/arch/x86/hvm/intercept.c
@@ -265,6 +265,9 @@ void register_mmio_handler(struct domain *d,
 {
     struct hvm_io_handler *handler = hvm_next_io_handler(d);
 
+    if ( handler == NULL )
+        return;
+
     handler->type = IOREQ_TYPE_COPY;
     handler->ops = &mmio_ops;
     handler->mmio.ops = ops;
@@ -275,6 +278,9 @@ void register_portio_handler(struct domain *d, unsigned int 
port,
 {
     struct hvm_io_handler *handler = hvm_next_io_handler(d);
 
+    if ( handler == NULL )
+        return;
+
     handler->type = IOREQ_TYPE_PIO;
     handler->ops = &portio_ops;
     handler->portio.port = port;
diff --git a/xen/arch/x86/hvm/io.c b/xen/arch/x86/hvm/io.c
index 603711c..a7f2bbc 100644
--- a/xen/arch/x86/hvm/io.c
+++ b/xen/arch/x86/hvm/io.c
@@ -255,6 +255,9 @@ void register_dpci_portio_handler(struct domain *d)
 {
     struct hvm_io_handler *handler = hvm_next_io_handler(d);
 
+    if ( handler == NULL )
+        return;
+
     handler->type = IOREQ_TYPE_PIO;
     handler->ops = &dpci_portio_ops;
 }
diff --git a/xen/arch/x86/hvm/stdvga.c b/xen/arch/x86/hvm/stdvga.c
index 8222af3..47b8432 100644
--- a/xen/arch/x86/hvm/stdvga.c
+++ b/xen/arch/x86/hvm/stdvga.c
@@ -576,6 +576,10 @@ void stdvga_init(struct domain *d)
 
         /* VGA memory */
         handler = hvm_next_io_handler(d);
+
+        if ( handler == NULL )
+            return;
+
         handler->type = IOREQ_TYPE_COPY;
         handler->ops = &stdvga_mem_ops;
     }
-- 
1.7.10.4


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.