From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dario Faggioli Subject: Re: [PATCH v2] libxc: fix leak of t_info in xc_tbuf_get_size() Date: Thu, 11 Feb 2016 11:23:26 +0100 Message-ID: <1455186206.3148.287.camel@citrix.com> References: <1455179579-3476-1-git-send-email-write.harmandeep@gmail.com> <1455184369.814.15.camel@citrix.com> <1455184996.3148.282.camel@citrix.com> <1455185474.814.23.camel@citrix.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7538167410426756926==" Return-path: Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aToPn-0001uB-BQ for xen-devel@lists.xenproject.org; Thu, 11 Feb 2016 10:23:59 +0000 In-Reply-To: <1455185474.814.23.camel@citrix.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Ian Campbell , Harmandeep Kaur , xen-devel@lists.xenproject.org, George Dunlap Cc: wei.liu2@citrix.com, ian.jackson@eu.citrix.com, stefano.stabellini@eu.citrix.com List-Id: xen-devel@lists.xenproject.org --===============7538167410426756926== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-8JtT7wYLeAM4hksZMLnh" --=-8JtT7wYLeAM4hksZMLnh Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, 2016-02-11 at 10:11 +0000, Ian Campbell wrote: > On Thu, 2016-02-11 at 11:03 +0100, Dario Faggioli wrote: > > On Thu, 2016-02-11 at 09:52 +0000, Ian Campbell wrote: > > > On Thu, 2016-02-11 at 14:02 +0530, Harmandeep Kaur wrote: > > > > =C2=A0 > > > > diff --git a/tools/libxc/xc_tbuf.c b/tools/libxc/xc_tbuf.c > > > > index 695939a..d96cc67 100644 > > > > --- a/tools/libxc/xc_tbuf.c > > > > +++ b/tools/libxc/xc_tbuf.c > > > > @@ -70,11 +70,13 @@ int xc_tbuf_get_size(xc_interface *xch, > > > > unsigned long > > > > *size) > > > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0sysctl.u.tbuf_o= p.buffer_mfn); > > > > =C2=A0 > > > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0if ( t_info =3D=3D NULL || t_info->tb= uf_size =3D=3D 0 ) > > > > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0return -1; > > > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0rc =3D -1; > > > > +=C2=A0=C2=A0=C2=A0=C2=A0else > > > > + *size =3D t_info->tbuf_size; > > > > =C2=A0 > > > > -=C2=A0=C2=A0=C2=A0=C2=A0*size =3D t_info->tbuf_size; > > > > +=C2=A0=C2=A0=C2=A0=C2=A0xenforeignmemory_unmap(xch->fmem, t_info, = *size); > > >=20 > > > *size could be uninitialised here (in the error path) and even in > > > the > > > success case I don't think t_info->tbus_size is the right > > > argument > > > here, it > > > needs to be the size which was passed to the map function, i.e. > > > sysctl.u.tbuf_op.size. > > >=20 > > And I think both are issues with the current code, >=20 > I don't think so, the xenforeignmemory_unmap using *size as an > argument > (where it is either uninitialised or the wrong value) is added by > this > patch. >=20 Ah, that one! Yes, you're right, I had overlooked this, and thought you where referring to something else, sorry. I agree sysctl.u.tbuf_op.size is what should be used. Regards, Dario --=20 <> (Raistlin Majere) ----------------------------------------------------------------- Dario Faggioli, Ph.D, http://about.me/dario.faggioli Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK) --=-8JtT7wYLeAM4hksZMLnh Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEABECAAYFAla8YR4ACgkQk4XaBE3IOsRpngCfYsEEFb09pS0zcViVQ7Uw7WCL 96kAoJI5JQuaa1LDlSZxoclmoKHRDKK5 =YELA -----END PGP SIGNATURE----- --=-8JtT7wYLeAM4hksZMLnh-- --===============7538167410426756926== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --===============7538167410426756926==--