From: George Dunlap <george.dunlap@eu.citrix.com>
To: Jeremy Fitzhardinge <jeremy@goop.org>
Cc: "xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>
Subject: Re: [PATCH] xentrace: fix bug in t_info size
Date: Fri, 7 May 2010 19:36:24 -0500 [thread overview]
Message-ID: <4BE4B208.4010209@eu.citrix.com> (raw)
In-Reply-To: <4BE4B104.10101@goop.org>
I don't think so... The entire xen structure actually is allocated, and
the bounds checking makes sure nothing goes off the end of it. It's
just that (before this patch) xentrace only maps one of the two pages
when it maps t_info. It then happily passes who knows what into
xc_map_foreign_range().
Arguably, passing junk into xc_map_foreign_range() shouldn't crash Xen;
but that's a slightly different issue.
-George
Jeremy Fitzhardinge wrote:
> On 05/07/2010 05:25 PM, George Dunlap wrote:
>
>> t_info size should be in bytes, not pages. This fixes a bug
>> that crashes the hypervisor if the total number of all pages
>> is more than 1024 but less than 2048.
>>
>>
>
> Could this be causing other memory corruption too?
>
> J
>
>
>> Signed-off-by: George Dunlap <george.dunlap@citrix.com>
>>
>> diff -r caea94988515 -r e633befe28ec xen/common/trace.c
>> --- a/xen/common/trace.c Fri May 07 11:45:18 2010 +0100
>> +++ b/xen/common/trace.c Fri May 07 19:20:52 2010 -0500
>> @@ -340,7 +340,7 @@
>> case XEN_SYSCTL_TBUFOP_get_info:
>> tbc->evt_mask = tb_event_mask;
>> tbc->buffer_mfn = t_info ? virt_to_mfn(t_info) : 0;
>> - tbc->size = T_INFO_PAGES;
>> + tbc->size = T_INFO_PAGES * PAGE_SIZE;
>> break;
>> case XEN_SYSCTL_TBUFOP_set_cpu_mask:
>> xenctl_cpumap_to_cpumask(&tb_cpu_mask, &tbc->cpu_mask);
>>
>> _______________________________________________
>> Xen-devel mailing list
>> Xen-devel@lists.xensource.com
>> http://lists.xensource.com/xen-devel
>>
>>
>>
>
>
prev parent reply other threads:[~2010-05-08 0:36 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-05-08 0:25 [PATCH] xentrace: fix bug in t_info size George Dunlap
2010-05-08 0:32 ` Jeremy Fitzhardinge
2010-05-08 0:36 ` George Dunlap [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BE4B208.4010209@eu.citrix.com \
--to=george.dunlap@eu.citrix.com \
--cc=jeremy@goop.org \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).