From mboxrd@z Thu Jan  1 00:00:00 1970
From: George Dunlap <George.Dunlap@eu.citrix.com>
Subject: Re: [PATCH 2 of 4] xentrace: fix type of offset to avoid
	ouf-of-bounds access
Date: Thu, 26 May 2011 11:05:42 +0100
Message-ID: <BANLkTikxoSS=sojUJfMgnR-Etj8sh4j77w@mail.gmail.com>
References: <patchbomb.1305037955@localhost>
	<575bf78214ef193e4480.1305037957@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Return-path: <xen-devel-bounces@lists.xensource.com>
In-Reply-To: <575bf78214ef193e4480.1305037957@localhost>
List-Unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: Olaf Hering <olaf@aepfle.de>
Cc: xen-devel@lists.xensource.com, George Dunlap <george.dunlap@citrix.com>
List-Id: xen-devel@lists.xenproject.org

Acked-by: George Dunlap <george.dunlap@eu.citrix.com>

On Tue, May 10, 2011 at 3:32 PM, Olaf Hering <olaf@aepfle.de> wrote:
> # HG changeset patch
> # User Olaf Hering <olaf@aepfle.de>
> # Date 1305037381 -7200
> # Node ID 575bf78214ef193e44806aa9766e084d721783b5
> # Parent =A08ac937fa527b28243227193bf4749feb3a234c2c
> xentrace: fix type of offset to avoid ouf-of-bounds access
>
> Update the type of the local offset variable to match the type where
> this variable is stored. Also update the type of t_info_first_offset beca=
use
> it has also a limited range.
>
> Signed-off-by: Olaf Hering <olaf@aepfle.de>
>
> diff -r 8ac937fa527b -r 575bf78214ef xen/common/trace.c
> --- a/xen/common/trace.c =A0 =A0 =A0 =A0Tue May 10 16:23:00 2011 +0200
> +++ b/xen/common/trace.c =A0 =A0 =A0 =A0Tue May 10 16:23:01 2011 +0200
> @@ -106,7 +106,7 @@ static uint32_t calc_tinfo_first_offset(
> =A0* The t_info layout is fixed and cant be changed without breaking xent=
race.
> =A0* Initialize t_info_pages based on number of trace pages.
> =A0*/
> -static int calculate_tbuf_size(unsigned int pages, uint32_t t_info_first=
_offset)
> +static int calculate_tbuf_size(unsigned int pages, uint16_t t_info_first=
_offset)
> =A0{
> =A0 =A0 struct t_buf dummy_size;
> =A0 =A0 typeof(dummy_size.prod) max_size;
> @@ -170,8 +170,8 @@ static int alloc_trace_bufs(unsigned int
> =A0 =A0 int i, cpu, order;
> =A0 =A0 /* Start after a fixed-size array of NR_CPUS */
> =A0 =A0 uint32_t *t_info_mfn_list;
> - =A0 =A0uint32_t t_info_first_offset;
> - =A0 =A0int offset;
> + =A0 =A0uint16_t t_info_first_offset;
> + =A0 =A0uint16_t offset;
>
> =A0 =A0 if ( t_info )
> =A0 =A0 =A0 =A0 return -EBUSY;
> @@ -179,7 +179,7 @@ static int alloc_trace_bufs(unsigned int
> =A0 =A0 if ( pages =3D=3D 0 )
> =A0 =A0 =A0 =A0 return -EINVAL;
>
> - =A0 =A0/* Calculate offset in u32 of first mfn */
> + =A0 =A0/* Calculate offset in units of u32 of first mfn */
> =A0 =A0 t_info_first_offset =3D calc_tinfo_first_offset();
>
> =A0 =A0 pages =3D calculate_tbuf_size(pages, t_info_first_offset);
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
>