Puthiyaparambil, Aravindh
2006-Jun-07 14:54 UTC
[Xen-devel] [PATCH][RESEND][Builder] Check if v_end wraps around to 0
This patch adds a check to see if v_end in setup_guest() wraps around to 0 and lets the builder exit gracefully when it does. Signed-off-by: Aravindh Puthiyaparambil <aravindh.puthiyaparambil@unisys.com>> -----Original Message----- > From: Keir Fraser [mailto:Keir.Fraser@cl.cam.ac.uk] > Sent: Thursday, June 01, 2006 6:14 AM > To: Puthiyaparambil, Aravindh > Cc: xen-devel@lists.xensource.com > Subject: Re: Malformed image causing builder to crash > > > On 31 May 2006, at 18:53, Puthiyaparambil, Aravindh wrote: > > > An image with VIRT_START and ELF_PADDR_OFFSET equal to 0 and itslinker> > entry at 0xffffffff80000000 (Is this is an malformed image?) causesthe> > builder to crash in loadelfimage() [line 235] because parray isgoing> > out of bounds. Output from the builder is show below. What seems tobe> > happening is that in setup_guest(), the variable v_end is becomingzero> > after the "for ( nr_pt_pages = 2; ; nr_pt_pages++ )" loop. Also note > > that the value of nr_pt_pages is very large. The reason is that > > dsi->v_start is 0 which throws things off. But this is totally validso> > I am not sure what checks need to be introduced to stop this from > > happening. Should the bounds check for the array be reintroduced? > > The problem is almost certainly a wrap in > xc_linux_build.c:setup_guest(). v_end is taken from parseelfimage()and> then incremented to make room for initrd, page tables, etc. If that > wraps round to zero then the size check will pass and things will > generally be screwed. > > We probably need to take care whenever we increment v_end to ensure > that ''inc < -v_end''. > > -- Keir_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Keir Fraser
2006-Jun-07 15:49 UTC
[Xen-devel] Re: [PATCH][RESEND][Builder] Check if v_end wraps around to 0
On 7 Jun 2006, at 15:54, Puthiyaparambil, Aravindh wrote:> This patch adds a check to see if v_end in setup_guest() wraps around > to > 0 and lets the builder exit gracefully when it does. > > Signed-off-by: Aravindh Puthiyaparambil > <aravindh.puthiyaparambil@unisys.com>How about the following patch, which is more thorough about checking every increment of v_end? -- Keir _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Puthiyaparambil, Aravindh
2006-Jun-07 17:01 UTC
[Xen-devel] RE: [PATCH][RESEND][Builder] Check if v_end wraps around to 0
Keir, Yes, your patch is a much better and more thorough. Thanks, Aravindh> -----Original Message----- > From: Keir Fraser [mailto:Keir.Fraser@cl.cam.ac.uk] > Sent: Wednesday, June 07, 2006 11:50 AM > To: Puthiyaparambil, Aravindh > Cc: xen-devel@lists.xensource.com > Subject: Re: [PATCH][RESEND][Builder] Check if v_end wraps around to 0 > > > On 7 Jun 2006, at 15:54, Puthiyaparambil, Aravindh wrote: > > > This patch adds a check to see if v_end in setup_guest() wrapsaround> > to > > 0 and lets the builder exit gracefully when it does. > > > > Signed-off-by: Aravindh Puthiyaparambil > > <aravindh.puthiyaparambil@unisys.com> > > How about the following patch, which is more thorough about checking > every increment of v_end? > > -- Keir_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel