From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ian Campbell Subject: [PATCH 4.0-testing 04/10] x86/mm: Fix loop increment in paging_log_dirty_range() Date: Mon, 11 Feb 2013 13:12:47 +0000 Message-ID: <1360588373-779-4-git-send-email-ian.campbell@citrix.com> References: <1360588355.20449.34.camel@zakaz.uk.xensource.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1360588355.20449.34.camel@zakaz.uk.xensource.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: xen-devel@lists.xen.org Cc: Tim Deegan List-Id: xen-devel@lists.xenproject.org From: Tim Deegan In 23417:53ef1f35a0f8 (the fix for XSA-27 / CVE-2012-5511), the loop variable gets incremented twice, so the loop only clears every second page of the bitmap. This might cause the tools to think that pages are dirty when they are not. Reported-by: Steven Noonan Reported-by: Matt Wilson Signed-off-by: Tim Deegan Acked-by: Ian Campbell Committed-by: Jan Beulich --- xen/arch/x86/mm/paging.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index bba747e..0caebe0 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -491,7 +491,8 @@ int paging_log_dirty_range(struct domain *d, size = ((nr + BITS_PER_LONG - 1) / BITS_PER_LONG) * sizeof (long); rv = 0; - for ( off = 0; !rv && off < size; off += sizeof zeroes ) + off = 0; + while ( !rv && off < size ) { int todo = min(size - off, (int) PAGE_SIZE); if ( copy_to_guest_offset(dirty_bitmap, off, zeroes, todo) ) -- 1.7.2.5