From mboxrd@z Thu Jan  1 00:00:00 1970
From: George Dunlap <george.dunlap@eu.citrix.com>
Subject: Re: [PATCH] xentrace: fix bug in t_info size
Date: Fri, 7 May 2010 19:36:24 -0500
Message-ID: <4BE4B208.4010209@eu.citrix.com>
References: <e633befe28ec57abb4df.1273278347@silas> <4BE4B104.10101@goop.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xensource.com>
In-Reply-To: <4BE4B104.10101@goop.org>
List-Unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: Jeremy Fitzhardinge <jeremy@goop.org>
Cc: "xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>
List-Id: xen-devel@lists.xenproject.org

I don't think so...  The entire xen structure actually is allocated, and 
the bounds checking makes sure nothing goes off the end of it.  It's 
just that (before this patch) xentrace only maps one of the two pages 
when it maps t_info.  It then happily passes who knows what into 
xc_map_foreign_range().

Arguably, passing junk into xc_map_foreign_range() shouldn't crash Xen; 
but that's a slightly different issue.

 -George

Jeremy Fitzhardinge wrote:
> On 05/07/2010 05:25 PM, George Dunlap wrote:
>   
>> t_info size should be in bytes, not pages.  This fixes a bug
>> that crashes the hypervisor if the total number of all pages
>> is more than 1024 but less than 2048.
>>   
>>     
>
> Could this be causing other memory corruption too?
>
>     J
>
>   
>> Signed-off-by: George Dunlap <george.dunlap@citrix.com>
>>
>> diff -r caea94988515 -r e633befe28ec xen/common/trace.c
>> --- a/xen/common/trace.c	Fri May 07 11:45:18 2010 +0100
>> +++ b/xen/common/trace.c	Fri May 07 19:20:52 2010 -0500
>> @@ -340,7 +340,7 @@
>>      case XEN_SYSCTL_TBUFOP_get_info:
>>          tbc->evt_mask   = tb_event_mask;
>>          tbc->buffer_mfn = t_info ? virt_to_mfn(t_info) : 0;
>> -        tbc->size = T_INFO_PAGES;
>> +        tbc->size = T_INFO_PAGES * PAGE_SIZE;
>>          break;
>>      case XEN_SYSCTL_TBUFOP_set_cpu_mask:
>>          xenctl_cpumap_to_cpumask(&tb_cpu_mask, &tbc->cpu_mask);
>>
>> _______________________________________________
>> Xen-devel mailing list
>> Xen-devel@lists.xensource.com
>> http://lists.xensource.com/xen-devel
>>
>>   
>>     
>
>