* [patch] xen: off by one errors in multicalls.c
@ 2011-06-03 4:45 Dan Carpenter
2011-06-03 18:24 ` Jeremy Fitzhardinge
0 siblings, 1 reply; 3+ messages in thread
From: Dan Carpenter @ 2011-06-03 4:45 UTC (permalink / raw)
To: Jeremy Fitzhardinge
Cc: open list:XEN HYPERVISOR IN..., Konrad Rzeszutek Wilk,
maintainer:X86 ARCHITECTURE..., kernel-janitors,
open list:XEN HYPERVISOR IN..., Ingo Molnar, H. Peter Anvin,
Thomas Gleixner
b->args[] has MC_ARGS elements, so the comparison here should be
">=" instead of ">". Otherwise we read past the end of the array
one space.
Signed-off-by: Dan Carpenter <error27@gmail.com>
---
This is a static checker patch and I haven't tested it. Please
review carefully.
diff --git a/arch/x86/xen/multicalls.c b/arch/x86/xen/multicalls.c
index 8bff7e7..1b2b73f 100644
--- a/arch/x86/xen/multicalls.c
+++ b/arch/x86/xen/multicalls.c
@@ -189,10 +189,10 @@ struct multicall_space __xen_mc_entry(size_t args)
unsigned argidx = roundup(b->argidx, sizeof(u64));
BUG_ON(preemptible());
- BUG_ON(b->argidx > MC_ARGS);
+ BUG_ON(b->argidx >= MC_ARGS);
if (b->mcidx == MC_BATCH ||
- (argidx + args) > MC_ARGS) {
+ (argidx + args) >= MC_ARGS) {
mc_stats_flush(b->mcidx == MC_BATCH ? FL_SLOTS : FL_ARGS);
xen_mc_flush();
argidx = roundup(b->argidx, sizeof(u64));
@@ -206,7 +206,7 @@ struct multicall_space __xen_mc_entry(size_t args)
ret.args = &b->args[argidx];
b->argidx = argidx + args;
- BUG_ON(b->argidx > MC_ARGS);
+ BUG_ON(b->argidx >= MC_ARGS);
return ret;
}
@@ -216,7 +216,7 @@ struct multicall_space xen_mc_extend_args(unsigned long op, size_t size)
struct multicall_space ret = { NULL, NULL };
BUG_ON(preemptible());
- BUG_ON(b->argidx > MC_ARGS);
+ BUG_ON(b->argidx >= MC_ARGS);
if (b->mcidx == 0)
return ret;
@@ -224,14 +224,14 @@ struct multicall_space xen_mc_extend_args(unsigned long op, size_t size)
if (b->entries[b->mcidx - 1].op != op)
return ret;
- if ((b->argidx + size) > MC_ARGS)
+ if ((b->argidx + size) >= MC_ARGS)
return ret;
ret.mc = &b->entries[b->mcidx - 1];
ret.args = &b->args[b->argidx];
b->argidx += size;
- BUG_ON(b->argidx > MC_ARGS);
+ BUG_ON(b->argidx >= MC_ARGS);
return ret;
}
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [patch] xen: off by one errors in multicalls.c
2011-06-03 4:45 [patch] xen: off by one errors in multicalls.c Dan Carpenter
@ 2011-06-03 18:24 ` Jeremy Fitzhardinge
2011-06-03 19:57 ` [Xen-devel] " Konrad Rzeszutek Wilk
0 siblings, 1 reply; 3+ messages in thread
From: Jeremy Fitzhardinge @ 2011-06-03 18:24 UTC (permalink / raw)
To: Dan Carpenter
Cc: Jeremy Fitzhardinge, Konrad Rzeszutek Wilk,
maintainer:X86 ARCHITECTURE..., kernel-janitors,
open list:XEN HYPERVISOR IN..., open list:XEN HYPERVISOR IN...,
H. Peter Anvin, Thomas Gleixner, Ingo Molnar
On 06/02/2011 09:45 PM, Dan Carpenter wrote:
> b->args[] has MC_ARGS elements, so the comparison here should be
> ">=" instead of ">". Otherwise we read past the end of the array
> one space.
Yeah, looks like a correct fix. Fortunately I don't think anything
currently hits that path in practice, though there are some pending
patches which will exercise it more.
Thanks,
J
> Signed-off-by: Dan Carpenter <error27@gmail.com>
> ---
> This is a static checker patch and I haven't tested it. Please
> review carefully.
>
> diff --git a/arch/x86/xen/multicalls.c b/arch/x86/xen/multicalls.c
> index 8bff7e7..1b2b73f 100644
> --- a/arch/x86/xen/multicalls.c
> +++ b/arch/x86/xen/multicalls.c
> @@ -189,10 +189,10 @@ struct multicall_space __xen_mc_entry(size_t args)
> unsigned argidx = roundup(b->argidx, sizeof(u64));
>
> BUG_ON(preemptible());
> - BUG_ON(b->argidx > MC_ARGS);
> + BUG_ON(b->argidx >= MC_ARGS);
>
> if (b->mcidx == MC_BATCH ||
> - (argidx + args) > MC_ARGS) {
> + (argidx + args) >= MC_ARGS) {
> mc_stats_flush(b->mcidx == MC_BATCH ? FL_SLOTS : FL_ARGS);
> xen_mc_flush();
> argidx = roundup(b->argidx, sizeof(u64));
> @@ -206,7 +206,7 @@ struct multicall_space __xen_mc_entry(size_t args)
> ret.args = &b->args[argidx];
> b->argidx = argidx + args;
>
> - BUG_ON(b->argidx > MC_ARGS);
> + BUG_ON(b->argidx >= MC_ARGS);
> return ret;
> }
>
> @@ -216,7 +216,7 @@ struct multicall_space xen_mc_extend_args(unsigned long op, size_t size)
> struct multicall_space ret = { NULL, NULL };
>
> BUG_ON(preemptible());
> - BUG_ON(b->argidx > MC_ARGS);
> + BUG_ON(b->argidx >= MC_ARGS);
>
> if (b->mcidx == 0)
> return ret;
> @@ -224,14 +224,14 @@ struct multicall_space xen_mc_extend_args(unsigned long op, size_t size)
> if (b->entries[b->mcidx - 1].op != op)
> return ret;
>
> - if ((b->argidx + size) > MC_ARGS)
> + if ((b->argidx + size) >= MC_ARGS)
> return ret;
>
> ret.mc = &b->entries[b->mcidx - 1];
> ret.args = &b->args[b->argidx];
> b->argidx += size;
>
> - BUG_ON(b->argidx > MC_ARGS);
> + BUG_ON(b->argidx >= MC_ARGS);
> return ret;
> }
>
> _______________________________________________
> Virtualization mailing list
> Virtualization@lists.linux-foundation.org
> https://lists.linux-foundation.org/mailman/listinfo/virtualization
>
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [Xen-devel] Re: [patch] xen: off by one errors in multicalls.c
2011-06-03 18:24 ` Jeremy Fitzhardinge
@ 2011-06-03 19:57 ` Konrad Rzeszutek Wilk
0 siblings, 0 replies; 3+ messages in thread
From: Konrad Rzeszutek Wilk @ 2011-06-03 19:57 UTC (permalink / raw)
To: Jeremy Fitzhardinge
Cc: open list:XEN HYPERVISOR IN..., Dan Carpenter,
maintainer:X86 ARCHITECTURE..., kernel-janitors,
open list:XEN HYPERVISOR IN..., Jeremy Fitzhardinge,
H. Peter Anvin, Thomas Gleixner, Ingo Molnar
On Fri, Jun 03, 2011 at 11:24:20AM -0700, Jeremy Fitzhardinge wrote:
> On 06/02/2011 09:45 PM, Dan Carpenter wrote:
> > b->args[] has MC_ARGS elements, so the comparison here should be
> > ">=" instead of ">". Otherwise we read past the end of the array
> > one space.
>
> Yeah, looks like a correct fix. Fortunately I don't think anything
> currently hits that path in practice, though there are some pending
> patches which will exercise it more.
OK, queueing it for rc1.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-06-03 19:57 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-06-03 4:45 [patch] xen: off by one errors in multicalls.c Dan Carpenter
2011-06-03 18:24 ` Jeremy Fitzhardinge
2011-06-03 19:57 ` [Xen-devel] " Konrad Rzeszutek Wilk
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).