From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
To: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: xen-devel@lists.xenproject.org, Ian Campbell <Ian.Campbell@citrix.com>
Subject: Re: [PATCH 5/5] xenstat: Fix buffer over-run with new_domains being negative (again).
Date: Mon, 25 Nov 2013 14:51:23 -0500 [thread overview]
Message-ID: <20131125195123.GC3339@phenom.dumpdata.com> (raw)
In-Reply-To: <52938A9D.8060706@citrix.com>
On Mon, Nov 25, 2013 at 05:36:29PM +0000, Andrew Cooper wrote:
> On 25/11/13 17:06, Ian Campbell wrote:
> > On Mon, 2013-11-25 at 12:00 -0500, Konrad Rzeszutek Wilk wrote:
> >> The git commit 1438d36f96e90d1116bebc6b3013634ca21c49c8
> >> "xenstat: Fix buffer over-run with new_domains being negative."
> >> fixed part of the problem, but it failed to do one more check.
> >>
> >> That is the if we don't exit out of the loop if the
> >> xc_domain_getinfolist returns -1. This makes the check
> >> by casting the unsigned int value to int as otherwise
> >> the
> >> if (new_domains < 0)
> >>
> >> would never get executed (as unsigned int won't be negative).
> >>
> >> Fixes CID 1055740.
> >>
> >> CC: andrew.cooper3@citrix.com
> >> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
> >> ---
> >> tools/xenstat/libxenstat/src/xenstat.c | 2 +-
> >> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/tools/xenstat/libxenstat/src/xenstat.c b/tools/xenstat/libxenstat/src/xenstat.c
> >> index e5facb8..27d8e22 100644
> >> --- a/tools/xenstat/libxenstat/src/xenstat.c
> >> +++ b/tools/xenstat/libxenstat/src/xenstat.c
> >> @@ -208,7 +208,7 @@ xenstat_node *xenstat_get_node(xenstat_handle * handle, unsigned int flags)
> >> node->num_domains,
> >> DOMAIN_CHUNK_SIZE,
> >> domaininfo);
> >> - if (new_domains < 0)
> >> + if ((int)new_domains < 0)
> > I expect that the right fix is to make new_domains the correct (signed)
> > type, no?
That can be done too.
> >
> > Ian.
> >
>
> xc_domain_getinfolist() is just as crazy as its partner in crime,
> xc_domain_getinfo(), and takes an unsigned int "max_doms" and returns a
> signed number of domains gotten, or -1 for certain failed hypercalls.
>
> I might be inclined to introduce a signed rc to hold the return value
> xc_domain_getinfolist(), check for a negative return before assigning to
> new_domains and also check for an overflow of node->num_domains +
> new_domains for the realloc.
Oh, hadn't thought about the overflow.
next prev parent reply other threads:[~2013-11-25 19:51 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-25 17:00 [PATCH] Coverity patches (tmem/xenstat) v1 Konrad Rzeszutek Wilk
2013-11-25 17:00 ` [PATCH 1/5] xc/tmem: Free temporary buffer used during migration Konrad Rzeszutek Wilk
2013-11-25 17:09 ` Andrew Cooper
2013-11-25 17:00 ` [PATCH 2/5] xc/tmem: Unchecked return value Konrad Rzeszutek Wilk
2013-11-25 17:11 ` Andrew Cooper
2013-11-25 19:53 ` Konrad Rzeszutek Wilk
2013-11-25 17:00 ` [PATCH 3/5] tmem: Check copy_to_user_* " Konrad Rzeszutek Wilk
2013-11-25 17:16 ` Andrew Cooper
2013-11-26 8:21 ` Jan Beulich
2013-11-26 18:16 ` Konrad Rzeszutek Wilk
2013-11-25 17:00 ` [PATCH 4/5] tmem: Pointless check of NULL against an array Konrad Rzeszutek Wilk
2013-11-25 17:19 ` Andrew Cooper
2013-11-25 19:54 ` Konrad Rzeszutek Wilk
2013-11-26 8:27 ` Jan Beulich
2013-11-25 17:00 ` [PATCH 5/5] xenstat: Fix buffer over-run with new_domains being negative (again) Konrad Rzeszutek Wilk
2013-11-25 17:06 ` Ian Campbell
2013-11-25 17:36 ` Andrew Cooper
2013-11-25 19:51 ` Konrad Rzeszutek Wilk [this message]
2013-11-26 8:40 ` Ian Campbell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131125195123.GC3339@phenom.dumpdata.com \
--to=konrad.wilk@oracle.com \
--cc=Ian.Campbell@citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.