Re: [PATCH 04/28] libxl: fix libxl_string_list_length and its only caller

xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed

From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Ian Campbell <ian.campbell@citrix.com>,
	Stefano Stabellini <stefano.stabellini@eu.citrix.com>,
	Matthew Daley <mattjd@gmail.com>,
	Ian Jackson <ian.jackson@eu.citrix.com>,
	xen-devel@lists.xen.org, David Vrabel <david.vrabel@citrix.com>
Subject: Re: [PATCH 04/28] libxl: fix libxl_string_list_length and its only caller
Date: Thu, 26 Sep 2013 20:37:15 +0100	[thread overview]
Message-ID: <52448CEB.9050109@citrix.com> (raw)
In-Reply-To: <52448B0A.6030808@oracle.com>

On 26/09/13 20:29, Boris Ostrovsky wrote:
> On 09/17/2013 11:37 PM, Matthew Daley wrote:
>> The wrong amount of indirections were being taken in
>> libxl_string_list_length, and its only caller was miscounting the amount
>> of initial non-list arguments, seemingly since the initial commit
>> (599c784).
>>
>> This has been seen and reported in the wild (##xen):
>> < Trixboxer> Hi, any idea why would I get
>> < Trixboxer> xl: libxl_bootloader.c:42: bootloader_arg: Assertion
>> `bl->nargs < bl->argsspace' failed.
>> < Trixboxer> 4.2.2-23.el6
>>
>> Coverity-ID: 1054954
>> Signed-off-by: Matthew Daley<mattjd@gmail.com>
>> ---
>>   tools/libxl/libxl.c            |    2 +-
>>   tools/libxl/libxl_bootloader.c |    2 +-
>>   2 files changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
>> index 0879f23..ca24ca3 100644
>> --- a/tools/libxl/libxl.c
>> +++ b/tools/libxl/libxl.c
>> @@ -202,7 +202,7 @@ int libxl_string_list_length(const
>> libxl_string_list *psl)
>>   {
>>       if (!psl) return 0;
>
> This should be
>     if (!psl || !(*psl)) return 0;
>
> We segfault otherwise at the changed line below if no arguments are
> passed to the bootloader (as is the case with pvgrub).
>
>>       int i = 0;
>> -    while (*psl++) i++;
>> +    while ((*psl)[i]) i++;
>>       return i;
>>   }
>
> (I am surprised Coverity didn't flag this)
>
> -boris

For this bug, Coveritys specific objection was that the caller passes a
singleton pointer into this function, and this function uses it as an
array.  This is a side effect of using the wrong indirection.

However, your spot of the crash is good, and needs fixing as well.

~Andrew

next prev parent reply	other threads:[~2013-09-26 19:37 UTC|newest]

Thread overview: 87+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-09-18  3:37 [PATCH 00/28] Fixes for various minor Coverity issues, volume 2 Matthew Daley
2013-09-18  3:37 ` [PATCH 01/28] gnttab: remove unused shared header lookup Matthew Daley
2013-09-19  9:12   ` Tim Deegan
2013-09-18  3:37 ` [PATCH 02/28] libxc: fix memory leak in load_p2m_frame_list error handling Matthew Daley
2013-09-25 12:57   ` Ian Campbell
2013-09-18  3:37 ` [PATCH 03/28] libxc: move munmap into the loop it's needed in in change_pte Matthew Daley
2013-09-25 11:39   ` Ian Campbell
2013-09-29  1:35     ` [PATCH] libxc: only munmap when something has actually been mapped " Matthew Daley
2013-10-03 13:39       ` Ian Campbell
2013-09-18  3:37 ` [PATCH 04/28] libxl: fix libxl_string_list_length and its only caller Matthew Daley
2013-09-25 12:58   ` Ian Campbell
2013-09-26 19:29   ` Boris Ostrovsky
2013-09-26 19:37     ` Andrew Cooper [this message]
2013-09-27  0:46       ` Matthew Daley
2013-09-18  3:37 ` [PATCH 05/28] libxl: fix dispose without init of disk in cd_insert Matthew Daley
2013-09-25 13:01   ` Ian Campbell
2013-09-18  3:37 ` [PATCH 06/28] libxl: fix leak of corename in handle_domain_death Matthew Daley
2013-09-18  3:37 ` [PATCH 07/28] libxl: fix leak of config_data in main_cpupoolcreate Matthew Daley
2013-09-18  3:37 ` [PATCH 08/28] libxl: fix leak of rune in main_remus Matthew Daley
2013-09-18  3:37 ` [PATCH 09/28] libxl: fix out-of-memory check in parse_global_config Matthew Daley
2013-09-18  3:37 ` [PATCH 10/28] libxl: only free cpupoolinfo if necessary in libxl_list_cpupool Matthew Daley
2013-09-18  8:06   ` Dario Faggioli
2013-09-18  8:58     ` Matthew Daley
2013-09-18  3:37 ` [PATCH 11/28] libxl: only put poller if already gotten in libxl_event_wait Matthew Daley
2013-09-18 12:29   ` Andrew Cooper
2013-09-18 13:06     ` Matthew Daley
2013-09-29  5:24     ` [PATCH v2] " Matthew Daley
2013-10-03 13:39       ` Ian Campbell
2013-10-11 11:12         ` [PATCH] libxl: make libxl__poller_put tolerate p==NULL libxl_event_wait Ian Jackson
2013-10-11 11:47           ` Ian Campbell
2013-10-11 14:51             ` Ian Jackson
2013-10-12 22:38           ` Matthew Daley
2013-10-14 16:49             ` Ian Jackson
2013-09-18  3:37 ` [PATCH 12/28] libxl: only free cputopology if it was allocated in libxl__get_numa_candidate Matthew Daley
2013-09-18  7:57   ` Dario Faggioli
2013-09-18  8:42     ` Matthew Daley
2013-09-18  9:10       ` Dario Faggioli
2013-09-18  9:30         ` Matthew Daley
2013-09-18 12:54           ` Dario Faggioli
2013-09-18  3:37 ` [PATCH 13/28] libxl: only free cputopology if it was allocated in libxl_{cpu, node}map_to_{node, cpu}map Matthew Daley
2013-09-18  8:18   ` Dario Faggioli
2013-09-18  8:50     ` Matthew Daley
2013-09-18  8:59       ` Dario Faggioli
2013-09-29  5:47     ` [PATCH v2] libxl: correctly handle libxl_get_cpu_topology failure " Matthew Daley
2013-09-30 10:29       ` Dario Faggioli
2013-10-03 14:03         ` Ian Campbell
2013-09-18  3:37 ` [PATCH 14/28] libxl: only free console reader if it was allocated in main_dmesg Matthew Daley
2013-09-18  3:37 ` [PATCH 15/28] libxl: fix typo in libxl__hotplug_nic error checking Matthew Daley
2013-09-18  3:37 ` [PATCH 16/28] libxl: fix file open failure check in libxl__file_reference_map Matthew Daley
2013-09-18  3:37 ` [PATCH 17/28] libxl: gettimeofday doesn't return an errno on failure Matthew Daley
2013-09-25 12:04   ` Ian Campbell
2013-09-25 23:11     ` Matthew Daley
2013-09-26  8:51       ` Ian Campbell
2013-09-18  3:37 ` [PATCH 18/28] xenstored: handle unlikely failure better in ask_parents Matthew Daley
2013-09-25 13:06   ` Ian Campbell
2013-09-25 23:17     ` Matthew Daley
2013-09-18  3:37 ` [PATCH 19/28] xenstored: fix faulty check for bad handle in domain_init Matthew Daley
2013-09-18  3:37 ` [PATCH 20/28] xenstore: check socket path length before copying it Matthew Daley
2013-09-18  3:37 ` [PATCH 21/28] mini-os: fix nodename generation in init_netfront Matthew Daley
2013-09-18 11:46   ` Samuel Thibault
2013-09-18  3:37 ` [PATCH 22/28] mini-os: fix various memory leaks in blkfront Matthew Daley
2013-09-18 11:47   ` Samuel Thibault
2013-09-18  3:37 ` [PATCH 23/28] mini-os: fix various memory leaks in {fb, kbd}front Matthew Daley
2013-09-18 11:50   ` Samuel Thibault
2013-09-18 12:39   ` Andrew Cooper
2013-09-18 13:01     ` Matthew Daley
2013-09-29  3:05     ` [PATCH] remove unnecessary null pointer checks before frees Matthew Daley
2013-09-29  3:26       ` [PATCH v2] " Matthew Daley
2013-09-30 21:15         ` Samuel Thibault
2013-10-03 13:43         ` Ian Campbell
2013-10-07 10:15           ` George Dunlap
2013-10-15  5:18           ` [PATCH v3] " Matthew Daley
2013-10-31 22:03             ` Ian Campbell
2013-09-18  3:38 ` [PATCH 24/28] mini-os: fix various memory leaks in netfront Matthew Daley
2013-09-18 11:50   ` Samuel Thibault
2013-09-18  3:38 ` [PATCH 25/28] mini-os: fix various memory leaks in pcifront Matthew Daley
2013-09-18 11:51   ` Samuel Thibault
2013-09-18  3:38 ` [PATCH 26/28] mini-os: fix various memory leaks in consfront Matthew Daley
2013-09-18 11:53   ` Samuel Thibault
2013-09-18  3:38 ` [PATCH 27/28] mini-os: fix various memory leaks in various locations Matthew Daley
2013-09-18 11:54   ` Samuel Thibault
2013-09-18  3:38 ` [PATCH 28/28] gdbsx: clear sockaddr before using it Matthew Daley
2013-09-21 15:57 ` [PATCH 00/28] Fixes for various minor Coverity issues, volume 2 Ian Campbell
2013-10-03 13:45 ` Ian Campbell
2013-10-03 13:47   ` Ian Campbell
2013-10-03 23:29   ` Matthew Daley
2013-10-04  8:00     ` Ian Campbell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=52448CEB.9050109@citrix.com \
    --to=andrew.cooper3@citrix.com \
    --cc=boris.ostrovsky@oracle.com \
    --cc=david.vrabel@citrix.com \
    --cc=ian.campbell@citrix.com \
    --cc=ian.jackson@eu.citrix.com \
    --cc=mattjd@gmail.com \
    --cc=stefano.stabellini@eu.citrix.com \
    --cc=xen-devel@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).