Puthiyaparambil, Aravindh
2006-Jun-01 18:53 UTC
[Xen-devel] [PATCH][Builder] Check if v_end wraps around to 0
Keir, I hope this is what you are looking for. Aravindh ------------------------------------------- This patch adds a check to see if v_end in setup_guest() wraps around to 0 and lets the builder exit gracefully when it does. Signed-off-by: Aravindh Puthiyaparambil <aravindh.puthiyaparambil@unisys.com>> -----Original Message----- > From: Keir Fraser [mailto:Keir.Fraser@cl.cam.ac.uk] > Sent: Thursday, June 01, 2006 6:14 AM > To: Puthiyaparambil, Aravindh > Cc: xen-devel@lists.xensource.com > Subject: Re: Malformed image causing builder to crash > > > On 31 May 2006, at 18:53, Puthiyaparambil, Aravindh wrote: > > > An image with VIRT_START and ELF_PADDR_OFFSET equal to 0 and itslinker> > entry at 0xffffffff80000000 (Is this is an malformed image?) causesthe> > builder to crash in loadelfimage() [line 235] because parray isgoing> > out of bounds. Output from the builder is show below. What seems tobe> > happening is that in setup_guest(), the variable v_end is becomingzero> > after the "for ( nr_pt_pages = 2; ; nr_pt_pages++ )" loop. Also note > > that the value of nr_pt_pages is very large. The reason is that > > dsi->v_start is 0 which throws things off. But this is totally validso> > I am not sure what checks need to be introduced to stop this from > > happening. Should the bounds check for the array be reintroduced? > > The problem is almost certainly a wrap in > xc_linux_build.c:setup_guest(). v_end is taken from parseelfimage()and> then incremented to make room for initrd, page tables, etc. If that > wraps round to zero then the size check will pass and things will > generally be screwed. > > We probably need to take care whenever we increment v_end to ensure > that ''inc < -v_end''. > > -- Keir_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel