From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: KEXEC: fix kexec_get_range_compat to fail vocally
Date: Mon, 5 Dec 2011 11:35:04 +0000
Message-ID: <4EDCAC68.8060303@citrix.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------060006030804030101050103"
Return-path: <xen-devel-bounces@lists.xensource.com>
List-Unsubscribe: <http://lists.xensource.com/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: "xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>
List-Id: xen-devel@lists.xenproject.org

--------------060006030804030101050103
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

I am not sure that this is the only instance, but it is really not
acceptable to hand truncated pointers or sizes for physical memory to dom0.

-- 
Andrew Cooper - Dom0 Kernel Engineer, Citrix XenServer
T: +44 (0)1223 225 900, http://www.citrix.com


--------------060006030804030101050103
Content-Type: text/x-patch; name="KEXEC-fix-kexec_get_range_compat.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="KEXEC-fix-kexec_get_range_compat.patch"

KEXEC: fix kexec_get_range_compat to fail vocally.

Fail with -ERANGE rather than silently truncating 64bit values (a
physical address and size) into 32bit integers for dom0 to consume.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

diff -r df7cec2c6c03 xen/common/kexec.c
--- a/xen/common/kexec.c
+++ b/xen/common/kexec.c
@@ -395,6 +395,12 @@ static int kexec_get_range_compat(XEN_GU
 
     ret = kexec_get_range_internal(&range);
 
+#define RANGE_MASK (((unsigned long)-1) & ~((unsigned int)-1))
+    /* Dont silently truncate physical addresses or sizes. */
+    if ( range.start & RANGE_MASK || range.size & RANGE_MASK )
+        return -ERANGE;
+#undef RANGE_MASK
+
     if ( ret == 0 ) {
         XLAT_kexec_range(&compat_range, &range);
         if ( unlikely(copy_to_guest(uarg, &compat_range, 1)) )

--------------060006030804030101050103
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

--------------060006030804030101050103--