[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [PATCH v2 4/5] x86/shadow: fix UB pointer arithmetic in sh_mfn_is_a_page_table()
UBSAN complains with: UBSAN: Undefined behaviour in arch/x86/mm/shadow/private.h:515:30 pointer operation overflowed ffff82e000000000 to ffff82dfffffffe0 [...] Xen call trace: [<ffff82d040303882>] R common/ubsan/ubsan.c#ubsan_epilogue+0xa/0xc0 [<ffff82d040304cc3>] F lib/xxhash64.c#__ubsan_handle_pointer_overflow+0xcb/0x100 [<ffff82d040471c5d>] F arch/x86/mm/shadow/guest_2.c#sh_page_fault__guest_2+0x1e350 [<ffff82d0403b216b>] F lib/xxhash64.c#svm_vmexit_handler+0xdf3/0x2450 [<ffff82d0402049c0>] F lib/xxhash64.c#svm_stgi_label+0x5/0x15 Fix by moving the call to mfn_to_page() after the check of whether the passed gmfn is valid. This avoid the call to mfn_to_page() with an INVALID_MFN parameter. While there make the page local variable const, it's not modified by the function. Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> --- Changes since v1: - New in this version. --- xen/arch/x86/mm/shadow/private.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/mm/shadow/private.h b/xen/arch/x86/mm/shadow/private.h index a5fc3a7676eb..cef9dbef2e77 100644 --- a/xen/arch/x86/mm/shadow/private.h +++ b/xen/arch/x86/mm/shadow/private.h @@ -512,13 +512,14 @@ static inline unsigned long __backpointer(const struct page_info *sp) static inline int sh_mfn_is_a_page_table(mfn_t gmfn) { - struct page_info *page = mfn_to_page(gmfn); + const struct page_info *page; struct domain *owner; unsigned long type_info; if ( !mfn_valid(gmfn) ) return 0; + page = mfn_to_page(gmfn); owner = page_get_owner(page); if ( owner && shadow_mode_refcounts(owner) && (page->count_info & PGC_shadowed_pt) ) -- 2.48.1
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |