From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthew Daley Subject: [PATCH] xen: Fix xenctl_cpumap_to_cpumask buffer size check Date: Tue, 13 Nov 2012 23:17:46 +1300 Message-ID: <1352801866-9512-1-git-send-email-mattjd@gmail.com> References: <50A214B902000078000A7F88@nat28.tlf.novell.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <50A214B902000078000A7F88@nat28.tlf.novell.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: JBeulich@suse.com Cc: Matthew Daley , xen-devel@lists.xen.org List-Id: xen-devel@lists.xenproject.org xenctl_cpumap_to_cpumask incorrectly uses sizeof when checking whether bits should be masked off from the input cpumap bitmap or not. Fix and make clearer by simply comparing the amount of bytes given in the input cpumap to the amount actually copied; if equal, bits may need to be masked off. This does not have security impact: _xmalloc never returns allocations smaller than the size of a pointer, hence the uncorrected buffer size check would still not allow writes to unallocated memory. Signed-off-by: Matthew Daley --- Jan: Agreed with both of your points. Here's a v2. diff --git a/xen/common/domctl.c b/xen/common/domctl.c index e153cb4..a7a6b9f 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -78,7 +78,7 @@ int xenctl_cpumap_to_cpumask( { if ( copy_from_guest(bytemap, xenctl_cpumap->bitmap, copy_bytes) ) err = -EFAULT; - if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes <= sizeof(bytemap)) ) + if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes == copy_bytes) ) bytemap[guest_bytes-1] &= ~(0xff << (xenctl_cpumap->nr_cpus & 7)); } -- 1.7.10.4