|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [PATCH v2 4/5] x86/shadow: fix UB pointer arithmetic in sh_mfn_is_a_page_table()
UBSAN complains with:
UBSAN: Undefined behaviour in arch/x86/mm/shadow/private.h:515:30
pointer operation overflowed ffff82e000000000 to ffff82dfffffffe0
[...]
Xen call trace:
[<ffff82d040303882>] R common/ubsan/ubsan.c#ubsan_epilogue+0xa/0xc0
[<ffff82d040304cc3>] F
lib/xxhash64.c#__ubsan_handle_pointer_overflow+0xcb/0x100
[<ffff82d040471c5d>] F
arch/x86/mm/shadow/guest_2.c#sh_page_fault__guest_2+0x1e350
[<ffff82d0403b216b>] F lib/xxhash64.c#svm_vmexit_handler+0xdf3/0x2450
[<ffff82d0402049c0>] F lib/xxhash64.c#svm_stgi_label+0x5/0x15
Fix by moving the call to mfn_to_page() after the check of whether the
passed gmfn is valid. This avoid the call to mfn_to_page() with an
INVALID_MFN parameter.
While there make the page local variable const, it's not modified by the
function.
Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
---
Changes since v1:
- New in this version.
---
xen/arch/x86/mm/shadow/private.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/xen/arch/x86/mm/shadow/private.h b/xen/arch/x86/mm/shadow/private.h
index a5fc3a7676eb..cef9dbef2e77 100644
--- a/xen/arch/x86/mm/shadow/private.h
+++ b/xen/arch/x86/mm/shadow/private.h
@@ -512,13 +512,14 @@ static inline unsigned long __backpointer(const struct
page_info *sp)
static inline int
sh_mfn_is_a_page_table(mfn_t gmfn)
{
- struct page_info *page = mfn_to_page(gmfn);
+ const struct page_info *page;
struct domain *owner;
unsigned long type_info;
if ( !mfn_valid(gmfn) )
return 0;
+ page = mfn_to_page(gmfn);
owner = page_get_owner(page);
if ( owner && shadow_mode_refcounts(owner)
&& (page->count_info & PGC_shadowed_pt) )
--
2.48.1
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |