From: Juergen Gross <jgross@suse.com>
To: YueHaibing <yuehaibing@huawei.com>,
boris.ostrovsky@oracle.com, sstabellini@kernel.org,
tglx@linutronix.de, mingo@redhat.com, bp@alien8.de,
hpa@zytor.com
Cc: linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org,
x86@kernel.org
Subject: Re: [PATCH -next] x86/xen: Fix read buffer overflow
Date: Tue, 18 Dec 2018 09:31:26 +0100 [thread overview]
Message-ID: <7825d772-338a-e39e-eaff-73e666ef5c08@suse.com> (raw)
In-Reply-To: <20181218081910.18080-1-yuehaibing@huawei.com>
On 18/12/2018 09:19, YueHaibing wrote:
> Fix smatch warning:
>
> arch/x86/xen/enlighten_pv.c:649 get_trap_addr() error:
> buffer overflow 'early_idt_handler_array' 32 <= 32
>
> Fixes: 42b3a4cb5609 ("x86/xen: Support early interrupts in xen pv guests")
> Signed-off-by: YueHaibing <yuehaibing@huawei.com>
> ---
> arch/x86/xen/enlighten_pv.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c
> index 2f6787f..81f200d 100644
> --- a/arch/x86/xen/enlighten_pv.c
> +++ b/arch/x86/xen/enlighten_pv.c
> @@ -646,7 +646,7 @@ static bool __ref get_trap_addr(void **addr, unsigned int ist)
>
> if (nr == ARRAY_SIZE(trap_array) &&
> *addr >= (void *)early_idt_handler_array[0] &&
> - *addr < (void *)early_idt_handler_array[NUM_EXCEPTION_VECTORS]) {
> + *addr < (void *)early_idt_handler_array[NUM_EXCEPTION_VECTORS - 1]) {
> nr = (*addr - (void *)early_idt_handler_array[0]) /
> EARLY_IDT_HANDLER_SIZE;
> *addr = (void *)xen_early_idt_handler_array[nr];
>
No, this patch is wrong.
early_idt_handler_array is a 2-dimensional array:
const char
early_idt_handler_array[NUM_EXCEPTION_VECTORS][EARLY_IDT_HANDLER_SIZE];
So above code doesn't do an out of bounds array access, but checks for
*addr being in the array or outside of it (note the "<" used for the
test).
Juergen
next prev parent reply other threads:[~2018-12-18 8:31 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-18 8:19 [PATCH -next] x86/xen: Fix read buffer overflow YueHaibing
2018-12-18 8:31 ` Juergen Gross [this message]
2018-12-18 10:42 ` YueHaibing
2018-12-18 11:28 ` [Xen-devel] " Andrew Cooper
2018-12-18 17:35 ` Boris Ostrovsky
2018-12-18 21:56 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7825d772-338a-e39e-eaff-73e666ef5c08@suse.com \
--to=jgross@suse.com \
--cc=boris.ostrovsky@oracle.com \
--cc=bp@alien8.de \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=sstabellini@kernel.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
--cc=xen-devel@lists.xenproject.org \
--cc=yuehaibing@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox