From: Weidong Han <weidong.han@intel.com>
To: Jan Beulich <JBeulich@novell.com>
Cc: "xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>,
Keir Fraser <keir.fraser@eu.citrix.com>,
"Cui, Dexuan" <dexuan.cui@intel.com>
Subject: Re: Xen 4.0.0-rc7 problem/hang with vt-d DMAR parsing
Date: Thu, 25 Mar 2010 17:05:57 +0800 [thread overview]
Message-ID: <4BAB2775.5010208@intel.com> (raw)
In-Reply-To: <4BAB304A0200007800036D8B@vpn.id2.novell.com>
Jan Beulich wrote:
>>>> Weidong Han <weidong.han@intel.com> 25.03.10 01:55 >>>
>>>>
>> Do you mean to know which case fails on length checking? How about below
>> patch?
>>
>
> Yes, something like this. Although I'd prefer to have a general
> sizeof(struct acpi_dmar_entry_header) check before the switch
> statement (to avoid even looking at out of range header fields),
> and "break"s instead of "goto disable"s.
>
>
Ok. Updated the patch according to your suggestion. Thanks.
diff -r a4eac162dcb9 xen/drivers/passthrough/vtd/dmar.c
--- a/xen/drivers/passthrough/vtd/dmar.c Thu Mar 25 01:05:03 2010 +0800
+++ b/xen/drivers/passthrough/vtd/dmar.c Fri Mar 26 01:59:55 2010 +0800
@@ -659,26 +659,71 @@ static int __init acpi_parse_dmar(struct
while ( ((unsigned long)entry_header) <
(((unsigned long)dmar) + table->length) )
{
+ if ( entry_header->length < sizeof(struct acpi_dmar_entry_header) )
+ {
+ dprintk(XENLOG_ERR VTDPREFIX,
+ "Invalid ACPI DMAR entry length: 0x%x\n",
+ entry_header->length);
+ ret = -EINVAL;
+ break;
+ }
+
switch ( entry_header->type )
{
case ACPI_DMAR_DRHD:
if ( iommu_verbose )
dprintk(VTDPREFIX, "found ACPI_DMAR_DRHD:\n");
+
+ if ( entry_header->length < sizeof(struct acpi_table_drhd) )
+ {
+ dprintk(XENLOG_ERR VTDPREFIX,
+ " Invalid length: 0x%x\n", entry_header->length);
+ ret = -EINVAL;
+ break;
+ }
+
ret = acpi_parse_one_drhd(entry_header);
break;
case ACPI_DMAR_RMRR:
if ( iommu_verbose )
dprintk(VTDPREFIX, "found ACPI_DMAR_RMRR:\n");
+
+ if ( entry_header->length < sizeof(struct acpi_table_rmrr) )
+ {
+ dprintk(XENLOG_ERR VTDPREFIX,
+ " Invalid length: 0x%x\n", entry_header->length);
+ ret = -EINVAL;
+ break;
+ }
+
ret = acpi_parse_one_rmrr(entry_header);
break;
case ACPI_DMAR_ATSR:
if ( iommu_verbose )
dprintk(VTDPREFIX, "found ACPI_DMAR_ATSR:\n");
+
+ if ( entry_header->length < sizeof(struct acpi_table_atsr) )
+ {
+ dprintk(XENLOG_ERR VTDPREFIX,
+ " Invalid length: 0x%x\n", entry_header->length);
+ ret = -EINVAL;
+ break;
+ }
+
ret = acpi_parse_one_atsr(entry_header);
break;
default:
next prev parent reply other threads:[~2010-03-25 9:05 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-23 14:27 Xen 4.0.0-rc7 problem/hang with vt-d DMAR parsing Pasi Kärkkäinen
2010-03-23 14:40 ` Jan Beulich
2010-03-23 14:40 ` Pasi Kärkkäinen
2010-03-23 14:48 ` Keir Fraser
2010-03-23 19:37 ` Pasi Kärkkäinen
2010-03-23 19:54 ` Keir Fraser
2010-03-23 20:05 ` Pasi Kärkkäinen
2010-03-24 0:40 ` Weidong Han
2010-03-24 1:52 ` Cui, Dexuan
2010-03-24 8:24 ` Jan Beulich
2010-03-24 8:54 ` Cui, Dexuan
2010-03-24 9:02 ` Weidong Han
2010-03-24 9:10 ` Pasi Kärkkäinen
2010-03-24 9:46 ` Jan Beulich
2010-03-24 11:00 ` Weidong Han
2010-03-24 11:11 ` Jan Beulich
2010-03-25 0:55 ` Weidong Han
2010-03-25 8:43 ` Jan Beulich
2010-03-25 9:05 ` Weidong Han [this message]
2010-03-25 9:16 ` Jan Beulich
2010-03-25 9:21 ` Weidong Han
2010-03-25 9:30 ` Jan Beulich
2010-03-25 9:34 ` Pasi Kärkkäinen
2010-03-25 9:44 ` Keir Fraser
2010-03-26 19:20 ` Pasi Kärkkäinen
2010-03-29 6:42 ` Cui, Dexuan
2010-03-24 17:34 ` Nadolski, Ed
2010-03-25 0:04 ` Weidong Han
2010-04-05 18:00 ` Nadolski, Ed
2010-04-07 1:43 ` Weidong Han
2010-03-24 8:50 ` Pasi Kärkkäinen
2010-03-26 19:45 ` Pasi Kärkkäinen
2010-03-29 6:48 ` Cui, Dexuan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BAB2775.5010208@intel.com \
--to=weidong.han@intel.com \
--cc=JBeulich@novell.com \
--cc=dexuan.cui@intel.com \
--cc=keir.fraser@eu.citrix.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.