From: Grzegorz Milos <gm281@cam.ac.uk>
To: Dietmar Hahn <dietmar.hahn@fujitsu-siemens.com>
Cc: xen-devel@lists.xensource.com
Subject: Re: [PATCH]mini-os: Bug in allocate_xenbus_id()
Date: Tue, 20 Feb 2007 18:53:16 +0000 [thread overview]
Message-ID: <45DB439C.80707@cam.ac.uk> (raw)
In-Reply-To: <200702191047.14724.dietmar.hahn@fujitsu-siemens.com>
That's a good catch. Did you see the bug manifesting itself in practice?
Keir could you apply please?
Thanks.
Gregor
Dietmar Hahn wrote:
> Hi Gregor,
>
> in allocate_xenbus_id() the static variable probe never gets reset.
> Therewidth id's >= NR_REQS are possible, which lead to an overflow in
> req_info[] and may crash the mini-os.
> Thanks.
>
> Dietmar
>
> Signed-off-by: Dietmar Hahn <dietmar.hahn@fujitsu-siemens.com>
>
> # HG changeset patch
> # User dietmar.hahn@fujitsu-siemens.com
> # Date 1171877953 -3600
> # Node ID 3d04558ad3d7e3811ac8c827bb876858bbb1c415
> # Parent b5fc88aad1b0eb35d12e503982c70fdc27f0544a
> Because probe never gets decremented (or reset), id >= NR_REQS is possible,
> which may lead to a crash.
>
> diff -r b5fc88aad1b0 -r 3d04558ad3d7 extras/mini-os/xenbus/xenbus.c
> --- a/extras/mini-os/xenbus/xenbus.c Sun Feb 18 15:29:40 2007 +0000
> +++ b/extras/mini-os/xenbus/xenbus.c Mon Feb 19 10:39:13 2007 +0100
> @@ -210,7 +210,7 @@ static int allocate_xenbus_id(void)
> }
> nr_live_reqs++;
> req_info[o_probe].in_use = 1;
> - probe = o_probe + 1;
> + probe = (o_probe + 1) % NR_REQS;
> spin_unlock(&req_lock);
> init_waitqueue_head(&req_info[o_probe].waitq);
next prev parent reply other threads:[~2007-02-20 18:53 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-06 7:03 [PATCH]mini-os: Fix to get netfront running on ia64 Dietmar Hahn
2007-02-06 21:59 ` Grzegorz Milos
2007-02-12 10:36 ` [PATCH]mini-os: Small fixes in makerules Dietmar Hahn
2007-02-13 23:05 ` Grzegorz Milos
2007-02-19 9:47 ` [PATCH]mini-os: Bug in allocate_xenbus_id() Dietmar Hahn
2007-02-20 18:53 ` Grzegorz Milos [this message]
2007-02-21 8:24 ` Dietmar Hahn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45DB439C.80707@cam.ac.uk \
--to=gm281@cam.ac.uk \
--cc=dietmar.hahn@fujitsu-siemens.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.