From mboxrd@z Thu Jan 1 00:00:00 1970 From: Grzegorz Milos Subject: Re: [PATCH]mini-os: Bug in allocate_xenbus_id() Date: Tue, 20 Feb 2007 18:53:16 +0000 Message-ID: <45DB439C.80707@cam.ac.uk> References: <200702060803.21254.dietmar.hahn@fujitsu-siemens.com> <200702121136.50332.dietmar.hahn@fujitsu-siemens.com> <200702191047.14724.dietmar.hahn@fujitsu-siemens.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <200702191047.14724.dietmar.hahn@fujitsu-siemens.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: Dietmar Hahn Cc: xen-devel@lists.xensource.com List-Id: xen-devel@lists.xenproject.org That's a good catch. Did you see the bug manifesting itself in practice? Keir could you apply please? Thanks. Gregor Dietmar Hahn wrote: > Hi Gregor, > > in allocate_xenbus_id() the static variable probe never gets reset. > Therewidth id's >= NR_REQS are possible, which lead to an overflow in > req_info[] and may crash the mini-os. > Thanks. > > Dietmar > > Signed-off-by: Dietmar Hahn > > # HG changeset patch > # User dietmar.hahn@fujitsu-siemens.com > # Date 1171877953 -3600 > # Node ID 3d04558ad3d7e3811ac8c827bb876858bbb1c415 > # Parent b5fc88aad1b0eb35d12e503982c70fdc27f0544a > Because probe never gets decremented (or reset), id >= NR_REQS is possible, > which may lead to a crash. > > diff -r b5fc88aad1b0 -r 3d04558ad3d7 extras/mini-os/xenbus/xenbus.c > --- a/extras/mini-os/xenbus/xenbus.c Sun Feb 18 15:29:40 2007 +0000 > +++ b/extras/mini-os/xenbus/xenbus.c Mon Feb 19 10:39:13 2007 +0100 > @@ -210,7 +210,7 @@ static int allocate_xenbus_id(void) > } > nr_live_reqs++; > req_info[o_probe].in_use = 1; > - probe = o_probe + 1; > + probe = (o_probe + 1) % NR_REQS; > spin_unlock(&req_lock); > init_waitqueue_head(&req_info[o_probe].waitq);