From: "Roger Pau Monné" <roger.pau@citrix.com>
To: Jan Beulich <jbeulich@suse.com>
Cc: xen-devel@lists.xenproject.org,
Anthony PERARD <anthony.perard@vates.tech>,
Michal Orzel <michal.orzel@amd.com>,
Julien Grall <julien@xen.org>,
Stefano Stabellini <sstabellini@kernel.org>,
Andrew Cooper <andrew.cooper3@citrix.com>
Subject: Re: [PATCH] xen: fix buffer over-read in bitmap_to_xenctl_bitmap()
Date: Fri, 25 Apr 2025 11:04:15 +0200 [thread overview]
Message-ID: <aAtQDwHmaSJVh-3k@macbook.lan> (raw)
In-Reply-To: <f425b237-dd89-4800-96c7-08072a3f67e3@suse.com>
On Fri, Apr 25, 2025 at 10:54:36AM +0200, Jan Beulich wrote:
> On 24.04.2025 15:04, Roger Pau Monné wrote:
> > On Thu, Apr 24, 2025 at 12:41:43PM +0100, Andrew Cooper wrote:
> >> On 24/04/2025 11:38 am, Roger Pau Monne wrote:
> >>> There's an off-by-one when calculating the last byte in the input array to
> >>> bitmap_to_xenctl_bitmap(), which leads to bitmaps with sizes multiple of 8
> >>> to over-read and incorrectly use a byte past the end of the array.
> >>
> >> /sigh
> >>
> >>> While there also ensure that bitmap_to_xenctl_bitmap() is not called with a
> >>> bitmap of 0 length.
> >>>
> >>> Fixes: 288c4641c80d ('xen: simplify bitmap_to_xenctl_bitmap for little endian')
> >>> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
> >>
> >> You ought to note that this is only not getting an XSA because
> >> 288c4641c80d isn't in a released Xen yet.
> >
> > Yeah, I did explicitly check this wasn't backported to any stable
> > branches.
> >
> >>> ---
> >>> xen/common/bitmap.c | 8 +++++++-
> >>> 1 file changed, 7 insertions(+), 1 deletion(-)
> >>>
> >>> diff --git a/xen/common/bitmap.c b/xen/common/bitmap.c
> >>> index bf1a7fd91e36..415d6bc074f6 100644
> >>> --- a/xen/common/bitmap.c
> >>> +++ b/xen/common/bitmap.c
> >>> @@ -369,6 +369,12 @@ int bitmap_to_xenctl_bitmap(struct xenctl_bitmap *xenctl_bitmap,
> >>> const uint8_t *bytemap;
> >>> uint8_t last, *buf = NULL;
> >>>
> >>> + if ( !nbits )
> >>> + {
> >>> + ASSERT_UNREACHABLE();
> >>> + return -EILSEQ;
> >>> + }
> >>
> >> I don't see any hypercalls performing a bits==0 check, so I expect this
> >> is reachable.
> >
> > bitmap_to_xenctl_bitmap() has just two callers, one passes nr_cpu_ids,
> > the other MAX_NUMNODES. I think there are no callers that pass 0,
> > much less from hypercall provided values.
>
> Still I don't think there should be an assertion here, not even an error.
> As much as memcpy(x, y, 0) is okay, it ought to be okay to invoke this
> function for entirely void bitmaps.
OK, are we fine then with just returning early if bits == 0? No
assert and no error.
Thanks, Roger.
next prev parent reply other threads:[~2025-04-25 9:04 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-24 10:38 [PATCH] xen: fix buffer over-read in bitmap_to_xenctl_bitmap() Roger Pau Monne
2025-04-24 11:41 ` Andrew Cooper
2025-04-24 13:04 ` Roger Pau Monné
2025-04-25 8:54 ` Jan Beulich
2025-04-25 9:04 ` Roger Pau Monné [this message]
2025-04-25 9:11 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aAtQDwHmaSJVh-3k@macbook.lan \
--to=roger.pau@citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=anthony.perard@vates.tech \
--cc=jbeulich@suse.com \
--cc=julien@xen.org \
--cc=michal.orzel@amd.com \
--cc=sstabellini@kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.