Xen devel - Mar 2009 - [PATCH]ioemu: fix buffer overflow of vslots

Assuming we assign n devices, strlen(direct_pci) can be 13n and the length of
the old ''vslots'' is 13n/3 which is smaller than 5n+1 (1
slot_str takes 5 bytes).
So we have to malloc a bigger buffer for vslots.

Signed-off-by: Dexuan Cui <dexuan.cui@intel.com>

diff --git a/hw/pass-through.c b/hw/pass-through.c
index f5cdcdd..07cd4f4 100644
--- a/hw/pass-through.c
+++ b/hw/pass-through.c
@@ -3934,10 +3934,22 @@ int pt_init(PCIBus *e_bus, const char *direct_pci)
     if ( !(direct_pci_head = direct_pci_p = strdup(direct_pci)) )
         return 0;

-    /* the virtual pci slots of all pass-through devs
-     * with hex format: xx;xx...;
+    /* The minimal format of direct_pci: xxxx:xx:xx.x-xxxx:xx:xx.x-... It may
+     * be even longer considering the per-device opts(see the parsing for
+     * ''/local/domain/0/backend/pci/XX/YY/opts-ZZ'' in
+     * xenstore_parse_domain_config().
+     *
+     * The format of vslots(virtual pci slots of all pass-through devs):
+     * 0xXX;0xXX;... (see the code below).
+     *
+     * We''re sure the length of direct_pci is bigger than that of
vslots.
      */
-    vslots = qemu_mallocz ( strlen(direct_pci) / 3 );
+    vslots = qemu_mallocz(strlen(direct_pci) + 1);
+    if ( vslots == NULL )
+    {
+        status = -1;
+        goto err;
+    }

     /* Assign given devices to guest */
     while ( next_bdf(&direct_pci_p, &seg, &b, &d, &f,
&opt) )
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On Wed, Mar 25, 2009 at 06:08:16PM +0800, Cui, Dexuan
wrote:
> Assuming we assign n devices, strlen(direct_pci) can be 13n and the length
of the old ''vslots'' is 13n/3 which is smaller than 5n+1 (1
slot_str takes 5 bytes).
> So we have to malloc a bigger buffer for vslots.
> 
> Signed-off-by: Dexuan Cui <dexuan.cui@intel.com>
> 
> diff --git a/hw/pass-through.c b/hw/pass-through.c
> index f5cdcdd..07cd4f4 100644
> --- a/hw/pass-through.c
> +++ b/hw/pass-through.c
> @@ -3934,10 +3934,22 @@ int pt_init(PCIBus *e_bus, const char *direct_pci)
>      if ( !(direct_pci_head = direct_pci_p = strdup(direct_pci)) )
>          return 0;
> 
> -    /* the virtual pci slots of all pass-through devs
> -     * with hex format: xx;xx...;
> +    /* The minimal format of direct_pci: xxxx:xx:xx.x-xxxx:xx:xx.x-... It
may
> +     * be even longer considering the per-device opts(see the parsing for
> +     * ''/local/domain/0/backend/pci/XX/YY/opts-ZZ'' in
> +     * xenstore_parse_domain_config().
> +     *
> +     * The format of vslots(virtual pci slots of all pass-through devs):
> +     * 0xXX;0xXX;... (see the code below).
> +     *
> +     * We''re sure the length of direct_pci is bigger than that of
vslots.
>       */
> -    vslots = qemu_mallocz ( strlen(direct_pci) / 3 );
> +    vslots = qemu_mallocz(strlen(direct_pci) + 1);
This looks good to me.
> +    if ( vslots == NULL )
> +    {
> +        status = -1;
Status is already -1 at this point.
> +        goto err;
> +    }
> 
>      /* Assign given devices to guest */
>      while ( next_bdf(&direct_pci_p, &seg, &b, &d, &f,
&opt) )
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
-- 
Simon Horman
  VA Linux Systems Japan K.K., Sydney, Australia Satellite Office
  H: www.vergenet.net/~horms/             W: www.valinux.co.jp/en


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Simon Horman wrote:
>> +    if ( vslots == NULL )
>> +    {
>> +        status = -1;
> 
> Status is already -1 at this point.
Oh, a little redundant... :-)
> 
>> +        goto err;
>> +    }
>> 
>>      /* Assign given devices to guest */
>>      while ( next_bdf(&direct_pci_p, &seg, &b, &d,
&f, &opt) )

Thanks,
-- Dexuan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel