|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH] fix potential pa_range_info out of bound access
On Thu, 8 Dec 2016, Stefano Stabellini wrote:
> pa_range_info has only 8 elements and is accessed using pa_range as
> index. pa_range is initialized to 16, potentially causing out of bound
> access errors. Fix the issue by initializing pa_range to the effective
> number of pa_range_info elements.
>
> CID 1381865
>
> Signed-off-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>
>
> diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c
> index e4991df..245fcd1 100644
> --- a/xen/arch/arm/p2m.c
> +++ b/xen/arch/arm/p2m.c
> @@ -1629,7 +1629,7 @@ void __init setup_virt_paging(void)
> };
>
> unsigned int cpu;
> - unsigned int pa_range = 0x10; /* Larger than any possible value */
> + unsigned int pa_range = sizeof(pa_range_info) / sizeof(pa_range_info[0]);
>
> for_each_online_cpu ( cpu )
> {
this is wrong, it should be sizeof(pa_range_info) / sizeof(pa_range_info[0]) -
1:
---
pa_range_info has only 8 elements and is accessed using pa_range as
index. pa_range is initialized to 16, potentially causing out of bound
access errors. Fix the issue by initializing pa_range to the effective
number of pa_range_info elements minus 1.
Coverity-ID: 1381865
Signed-off-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>
diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c
index e4991df..14901b0 100644
--- a/xen/arch/arm/p2m.c
+++ b/xen/arch/arm/p2m.c
@@ -1629,7 +1629,7 @@ void __init setup_virt_paging(void)
};
unsigned int cpu;
- unsigned int pa_range = 0x10; /* Larger than any possible value */
+ unsigned int pa_range = ARRAY_SIZE(pa_range_info) - 1;
for_each_online_cpu ( cpu )
{
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |