From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Cooper Subject: Re: [PATCH 3/5] tmem: Check copy_to_user_* return value. Date: Mon, 25 Nov 2013 17:16:37 +0000 Message-ID: <529385F5.4090608@citrix.com> References: <1385398842-8247-1-git-send-email-konrad.wilk@oracle.com> <1385398842-8247-4-git-send-email-konrad.wilk@oracle.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Vkzm8-0001wE-2l for xen-devel@lists.xenproject.org; Mon, 25 Nov 2013 17:16:44 +0000 In-Reply-To: <1385398842-8247-4-git-send-email-konrad.wilk@oracle.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Konrad Rzeszutek Wilk Cc: xen-devel@lists.xenproject.org List-Id: xen-devel@lists.xenproject.org On 25/11/13 17:00, Konrad Rzeszutek Wilk wrote: > We weren't checking whether that operation fails and > return the proper error. > > This fixes CID 1055125, 105512, 1055127, 1055128, 1055129, > 1055130. > > CC: Bob Liu > Signed-off-by: Konrad Rzeszutek Wilk > --- > xen/common/tmem.c | 21 ++++++++++++++++----- > 1 file changed, 16 insertions(+), 5 deletions(-) > > diff --git a/xen/common/tmem.c b/xen/common/tmem.c > index 081772e..3bc35fd 100644 > --- a/xen/common/tmem.c > +++ b/xen/common/tmem.c > @@ -2146,8 +2146,12 @@ static int tmemc_list(domid_t cli_id, tmem_cli_va_param_t buf, uint32_t len, > if ( cli_id == TMEM_CLI_ID_NULL ) { > off = tmemc_list_global(buf,0,len,use_long); > off += tmemc_list_shared(buf,off,len-off,use_long); > - list_for_each_entry(client,&global_client_list,client_list) > - off += tmemc_list_client(client, buf, off, len-off, use_long); > + list_for_each_entry(client,&global_client_list,client_list) { Spaces and commas. > + int ret = tmemc_list_client(client, buf, off, len-off, use_long); > + if ( ret < 0 ) > + return ret; > + off += ret; > + } > off += tmemc_list_global_perf(buf,off,len-off,use_long); > } > else if ( (client = tmem_client_from_cli_id(cli_id)) == NULL) > @@ -2155,6 +2159,8 @@ static int tmemc_list(domid_t cli_id, tmem_cli_va_param_t buf, uint32_t len, > else > off = tmemc_list_client(client, buf, 0, len, use_long); > > + if ( off < 0 ) > + return off; This looks to check for an overflow of 'off', but it is too late. Overflow needs to be checked each time you possibly add more to it. ~Andrew > return 0; > } > > @@ -2319,8 +2325,9 @@ static int tmemc_save_subop(int cli_id, uint32_t pool_id, > case TMEMC_SAVE_GET_POOL_UUID: > if ( pool == NULL ) > break; > - tmem_copy_to_client_buf(buf, pool->uuid, 2); > rc = 0; > + if ( tmem_copy_to_client_buf(buf, pool->uuid, 2) ) > + rc = -EFAULT; > break; > case TMEMC_SAVE_END: > if ( client == NULL ) > @@ -2383,7 +2390,10 @@ static int tmemc_save_get_next_page(int cli_id, uint32_t pool_id, > BUILD_BUG_ON(sizeof(h.oid) != sizeof(oid)); > memcpy(h.oid, oid.oid, sizeof(h.oid)); > h.index = pgp->index; > - tmem_copy_to_client_buf(buf, &h, 1); > + if ( tmem_copy_to_client_buf(buf, &h, 1) ) { > + ret = -EFAULT; > + goto out; > + } > tmem_client_buf_add(buf, sizeof(h)); > ret = do_tmem_get(pool, &oid, pgp->index, 0, 0, 0, pagesize, buf); > > @@ -2427,8 +2437,9 @@ static int tmemc_save_get_next_inv(int cli_id, tmem_cli_va_param_t buf, > BUILD_BUG_ON(sizeof(h.oid) != sizeof(pgp->inv_oid)); > memcpy(h.oid, pgp->inv_oid.oid, sizeof(h.oid)); > h.index = pgp->index; > - tmem_copy_to_client_buf(buf, &h, 1); > ret = 1; > + if ( tmem_copy_to_client_buf(buf, &h, 1) ) > + ret = -EFAULT; > out: > tmem_spin_unlock(&pers_lists_spinlock); > return ret;