Ian Jackson
2010-Feb-02 17:22 UTC
[Xen-devel] [PATCH 1/2] libxc: Check full range of pfns for xc_dom_pfn_to_ptr
# HG changeset patch
# User Ian Jackson <Ian.Jackson@eu.citrix.com>
# Date 1265130967 0
# Node ID 5fc5ee3e3530d38a21d00b4ec2d559b47a23cf07
# Parent 72c359823655427fed7418f0a1cdd39d496ec571
libxc: Check full range of pfns for xc_dom_pfn_to_ptr
Previously, passing a valid pfn but an overly large count to
xc_dom_pfn_to_ptr, and functions which call it, would run off the end
of the pfn array giving undefined behaviour.
It is tempting to change this check to an assert, as no callers should
be providing invalid parameters here. But this is probably best not
done while frozen for 4.0.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
diff -r 72c359823655 -r 5fc5ee3e3530 tools/libxc/xc_dom_core.c
--- a/tools/libxc/xc_dom_core.c Tue Feb 02 15:47:36 2010 +0000
+++ b/tools/libxc/xc_dom_core.c Tue Feb 02 17:16:07 2010 +0000
@@ -288,7 +288,9 @@
unsigned int page_shift = XC_DOM_PAGE_SHIFT(dom);
char *mode = "unset";
- if ( pfn > dom->total_pages )
+ if ( pfn > dom->total_pages || /* multiple checks to avoid
overflows */
+ count > dom->total_pages ||
+ pfn > dom->total_pages - count )
{
xc_dom_printf("%s: pfn out of range (0x%" PRIpfn " >
0x%" PRIpfn ")\n",
__FUNCTION__, pfn, dom->total_pages);
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
Ian Jackson
2010-Feb-02 17:23 UTC
[Xen-devel] Re: [PATCH 2/2] libxc: Check there''s enough memory for segments
# HG changeset patch
# User Ian Jackson <Ian.Jackson@eu.citrix.com>
# Date 1265131163 0
# Node ID aeb8a70f42a5cc2cc7b076d128fa446201a79103
# Parent 5fc5ee3e3530d38a21d00b4ec2d559b47a23cf07
libxc: Check there''s enough memory for segments we''re creating
Previously, xc_dom_alloc_segment would go ahead even if the segment
we''re trying to create is too big for the domain''s RAM (or the
requested addr is out of range). It would pass invalid parameters to
xc_dom_seg_to_ptr giving undefined behaviour.
Fixing xc_dom_seg_to_ptr to fail is not sufficient because we want to
provide a comprehensible explanation to the caller - which may
ultimately be the user.
In particular, with this change attempting "xl create" with a ramdisk
image bigger than the guest''s specified RAM will provide a useful
error message mentioning the ramdisk.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
diff -r 5fc5ee3e3530 -r aeb8a70f42a5 tools/libxc/xc_dom_core.c
--- a/tools/libxc/xc_dom_core.c Tue Feb 02 17:16:07 2010 +0000
+++ b/tools/libxc/xc_dom_core.c Tue Feb 02 17:19:23 2010 +0000
@@ -409,8 +409,19 @@
}
seg->vstart = start;
+ seg->pfn = (seg->vstart - dom->parms.virt_base) / page_size;
+
+ if ( pages > dom->total_pages || /* double test avoids overflow probs
*/
+ pages > dom->total_pages - seg->pfn)
+ {
+ xc_dom_panic(XC_OUT_OF_MEMORY,
+ "%s: segment %s too large (0x%"PRIpfn" >
"
+ "0x%"PRIpfn" - 0x%"PRIpfn"
pages)\n",
+ __FUNCTION__, name, pages, dom->total_pages,
seg->pfn);
+ return -1;
+ }
+
seg->vend = start + pages * page_size;
- seg->pfn = (seg->vstart - dom->parms.virt_base) / page_size;
dom->virt_alloc_end = seg->vend;
if (dom->allocate)
dom->allocate(dom, dom->virt_alloc_end);
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel