Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:olh:xen-4.5
xen
xen.144aec4140515c53bb1676df71a469f3e285c557.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File xen.144aec4140515c53bb1676df71a469f3e285c557.patch of Package xen
From: Jan Beulich <jbeulich@suse.com> Date: Wed, 26 Apr 2017 09:48:45 +0200 Subject: 144aec4140515c53bb1676df71a469f3e285c557 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit x86/32on64: properly honor add-to-physmap-batch's size Commit 407a3c00ff ("compat/memory: fix build with old gcc") "fixed" a build issue by switching to the use of uninitialized data. Due to - the bounding of the uninitialized data item - the accessed area being outside of Xen space - arguments being properly verified by the native hypercall function this is not a security issue. Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Release-acked-by: Julien Grall <julien.grall@arm.com> --- xen/common/compat/memory.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/xen/common/compat/memory.c +++ b/xen/common/compat/memory.c @@ -204,30 +204,32 @@ int compat_memory_op(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) compat) if ( copy_from_guest(&cmp.atp, compat, 1) ) return -EFAULT; XLAT_add_to_physmap(nat.atp, &cmp.atp); break; case XENMEM_add_to_physmap_batch: { unsigned int limit = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.atpb)) / (sizeof(nat.atpb->idxs.p) + sizeof(nat.atpb->gpfns.p)); /* Use an intermediate variable to suppress warnings on old gcc: */ - unsigned int size = cmp.atpb.size; + unsigned int size; xen_ulong_t *idxs = (void *)(nat.atpb + 1); xen_pfn_t *gpfns = (void *)(idxs + limit); - if ( copy_from_guest(&cmp.atpb, compat, 1) || - !compat_handle_okay(cmp.atpb.idxs, size) || + if ( copy_from_guest(&cmp.atpb, compat, 1) ) + return -EFAULT; + size = cmp.atpb.size; + if ( !compat_handle_okay(cmp.atpb.idxs, size) || !compat_handle_okay(cmp.atpb.gpfns, size) || !compat_handle_okay(cmp.atpb.errs, size) ) return -EFAULT; end_extent = start_extent + limit; if ( end_extent > size ) end_extent = size; idxs -= start_extent; gpfns -= start_extent; for ( i = start_extent; i < end_extent; ++i )
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor