From mboxrd@z Thu Jan 1 00:00:00 1970 From: Keir Fraser Subject: Re: Bug in smpboot.c? Date: Fri, 10 Jun 2011 08:30:10 +0100 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: "John McDermott (U.S. Navy Employee)" , xen-devel@lists.xensource.com List-Id: xen-devel@lists.xenproject.org On 09/06/2011 16:49, "John McDermott (U.S. Navy Employee)" wrote: > Xen Developers, > > In C function cpu_add(), in xen/arch/x86/smpboot.c, if acpi_id == > MAX_MADT_ENTRIES, won't this write past the end of array > x86_acpiid_toapicid[MAX_MADT_ENTRIES]? I am looking at xen-unstable. It looks > like the guard is not catching this 1 case? Fixed in xen-unstable:23505. Fortunately this function is only accessible from the TCB so it's not exploitable. Thanks, -- Keir > Sincerely, > > John McDermott > ---- > What is the formal meaning of the one-line program > #include "/dev/tty" > > J.P. McDermott building 12 > Code 5542 mcdermott@itd.nrl.navy.mil > Naval Research Laboratory voice: +1 202.404.8301 > Washington, DC 20375, US fax: +1 202.404.7942 > > > > > > > > > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel