From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: xen: Fix off-by-one error when parsing command line
	arguments
Date: Mon, 2 Jul 2012 13:52:49 +0100
Message-ID: <4FF199A1.8080706@citrix.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------040205080603050302090102"
Return-path: <xen-devel-bounces@lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: "xen-de >> \"xen-devel@lists.xen.org\"" <xen-devel@lists.xen.org>, Keir Fraser <keir@xen.org>, Jan Beulich <jbeulich@suse.com>, Ian Campbell <Ian.Campbell@eu.citrix.com>
List-Id: xen-devel@lists.xenproject.org

--------------040205080603050302090102
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

This is a bug which is present in at least unstable and 4.1, so should
be considered for 4.2, as well as being considered for backport to older
versions.

-- 
Andrew Cooper - Dom0 Kernel Engineer, Citrix XenServer
T: +44 (0)1223 225 900, http://www.citrix.com


--------------040205080603050302090102
Content-Type: text/x-patch; name="xen-fix-cmdline-parsing.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="xen-fix-cmdline-parsing.patch"

# HG changeset patch
# Parent 4f92bdf3370c4fe5ed0f00cdeaf8156e4818ecb5
xen: Fix off-by-one error when parsing command line arguments

As Xen currently stands, it will attempt to interpret the first few bytes of the
initcall section as a struct kernel_param.

This can be verified as

         for ( param = &__setup_start; param <= &__setup_end; param++ )
         {
+            if ( (unsigned long)param == (unsigned long)&__initcall_start )
+                BUG();

causes Xen to BUG() during early boot.

The reason that this not caused problems is because in the overflow case,
param->name is actually a function pointer to the first initcall, and
intepreting it as string is very unlikely to match an ASCII command line
parameter name.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

diff -r 4f92bdf3370c xen/common/kernel.c
--- a/xen/common/kernel.c
+++ b/xen/common/kernel.c
@@ -90,7 +90,7 @@ void __init cmdline_parse(const char *cm
         if ( !bool_assert )
             optkey += 3;
 
-        for ( param = &__setup_start; param <= &__setup_end; param++ )
+        for ( param = &__setup_start; param < &__setup_end; param++ )
         {
             if ( strcmp(param->name, optkey) )
                 continue;

--------------040205080603050302090102
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

--------------040205080603050302090102--