* [PATCH] x86/hvm: avoid potential NULL pointer dereferences
@ 2015-07-10 13:45 Paul Durrant
2015-07-10 13:47 ` Andrew Cooper
0 siblings, 1 reply; 2+ messages in thread
From: Paul Durrant @ 2015-07-10 13:45 UTC (permalink / raw)
To: xen-devel; +Cc: Andrew Cooper, Paul Durrant, Keir Fraser, Jan Beulich
Coverity flagged that hvm_next_io_handler() will return NULL after
calling domain_crash() and this will then lead to NULL pointer
dereferences in calling functions.
This patch checks for NULL in the callers and bails in that case.
Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Cc: Keir Fraser <keir@xen.org>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
---
xen/arch/x86/hvm/intercept.c | 6 ++++++
xen/arch/x86/hvm/io.c | 3 +++
xen/arch/x86/hvm/stdvga.c | 4 ++++
3 files changed, 13 insertions(+)
diff --git a/xen/arch/x86/hvm/intercept.c b/xen/arch/x86/hvm/intercept.c
index 19edd41..08a4e73 100644
--- a/xen/arch/x86/hvm/intercept.c
+++ b/xen/arch/x86/hvm/intercept.c
@@ -265,6 +265,9 @@ void register_mmio_handler(struct domain *d,
{
struct hvm_io_handler *handler = hvm_next_io_handler(d);
+ if ( handler == NULL )
+ return;
+
handler->type = IOREQ_TYPE_COPY;
handler->ops = &mmio_ops;
handler->mmio.ops = ops;
@@ -275,6 +278,9 @@ void register_portio_handler(struct domain *d, unsigned int port,
{
struct hvm_io_handler *handler = hvm_next_io_handler(d);
+ if ( handler == NULL )
+ return;
+
handler->type = IOREQ_TYPE_PIO;
handler->ops = &portio_ops;
handler->portio.port = port;
diff --git a/xen/arch/x86/hvm/io.c b/xen/arch/x86/hvm/io.c
index 603711c..a7f2bbc 100644
--- a/xen/arch/x86/hvm/io.c
+++ b/xen/arch/x86/hvm/io.c
@@ -255,6 +255,9 @@ void register_dpci_portio_handler(struct domain *d)
{
struct hvm_io_handler *handler = hvm_next_io_handler(d);
+ if ( handler == NULL )
+ return;
+
handler->type = IOREQ_TYPE_PIO;
handler->ops = &dpci_portio_ops;
}
diff --git a/xen/arch/x86/hvm/stdvga.c b/xen/arch/x86/hvm/stdvga.c
index 8222af3..47b8432 100644
--- a/xen/arch/x86/hvm/stdvga.c
+++ b/xen/arch/x86/hvm/stdvga.c
@@ -576,6 +576,10 @@ void stdvga_init(struct domain *d)
/* VGA memory */
handler = hvm_next_io_handler(d);
+
+ if ( handler == NULL )
+ return;
+
handler->type = IOREQ_TYPE_COPY;
handler->ops = &stdvga_mem_ops;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] x86/hvm: avoid potential NULL pointer dereferences
2015-07-10 13:45 [PATCH] x86/hvm: avoid potential NULL pointer dereferences Paul Durrant
@ 2015-07-10 13:47 ` Andrew Cooper
0 siblings, 0 replies; 2+ messages in thread
From: Andrew Cooper @ 2015-07-10 13:47 UTC (permalink / raw)
To: Paul Durrant, xen-devel; +Cc: Keir Fraser, Jan Beulich
On 10/07/15 14:45, Paul Durrant wrote:
> Coverity flagged that hvm_next_io_handler() will return NULL after
> calling domain_crash() and this will then lead to NULL pointer
> dereferences in calling functions.
>
> This patch checks for NULL in the callers and bails in that case.
>
> Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
> Cc: Keir Fraser <keir@xen.org>
> Cc: Jan Beulich <jbeulich@suse.com>
> Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-07-10 13:47 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-07-10 13:45 [PATCH] x86/hvm: avoid potential NULL pointer dereferences Paul Durrant
2015-07-10 13:47 ` Andrew Cooper
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).