From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Cooper Subject: [PATCH] x86/sysctl: Don't clobber memory if NCAPINTS > ARRAY_SIZE(pi->hw_cap) Date: Wed, 16 Sep 2015 10:01:45 +0100 Message-ID: <1442394105-20056-1-git-send-email-andrew.cooper3@citrix.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Xen-devel Cc: Andrew Cooper , Wei Liu , Jan Beulich List-Id: xen-devel@lists.xenproject.org There is no current problem, as both NCAPINTS and pi->hw_cap are 8 entries, but the limit should be calculated appropriately so as to avoid hypervisor stack corruption if the two do get out of sync. Signed-off-by: Andrew Cooper --- CC: Jan Beulich CC: Wei Liu I came across this during my cpuid levelling work. As I know I am not the only person playing with NCAPINTS at the moment, I am posting this ahead of the rest of the work. Wei: Concerning 4.6, it might we worth taking this, as it will likely bite downstream distributers who backport a 4.7 feature. Also not fixed here is the fact that the libxl ABI hardcodes an 8 as the length of this array, which is wrong. I have insufficient tuits to come up with a backwards compatible fix at this time. --- xen/arch/x86/sysctl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/sysctl.c b/xen/arch/x86/sysctl.c index f36b52f..38b5dcb 100644 --- a/xen/arch/x86/sysctl.c +++ b/xen/arch/x86/sysctl.c @@ -75,7 +75,8 @@ long cpu_down_helper(void *data) void arch_do_physinfo(xen_sysctl_physinfo_t *pi) { - memcpy(pi->hw_cap, boot_cpu_data.x86_capability, NCAPINTS*4); + memcpy(pi->hw_cap, boot_cpu_data.x86_capability, + min(sizeof(pi->hw_cap), sizeof(boot_cpu_data.x86_capability))); if ( hvm_enabled ) pi->capabilities |= XEN_SYSCTL_PHYSCAP_hvm; if ( iommu_enabled ) -- 1.7.10.4