Xen devel - Feb 2011 - [PATCH] libxl: fix unsafe subtraction in libxl_set_memory_target

The current libxl_set_memory_target function subtracts a negative amount
from an uint32_t variable without checking if the operation wraps
around.

This patch fixes this bug (that I previously believed to be an
hypervisor issue):
http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1729


Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>

diff -r a69965e61ae9 tools/libxl/libxl.c
--- a/tools/libxl/libxl.c	Mon Jan 31 17:47:24 2011 +0000
+++ b/tools/libxl/libxl.c	Tue Feb 01 16:34:43 2011 +0000
@@ -2059,9 +2059,12 @@ retry_transaction:
         goto out;
     }
 
-    if (relative)
-        new_target_memkb = current_target_memkb + target_memkb;
-    else
+    if (relative) {
+        if (target_memkb < 0 && abs(target_memkb) >
current_target_memkb)
+            new_target_memkb = 0;
+        else
+            new_target_memkb = current_target_memkb + target_memkb;
+    } else
         new_target_memkb = target_memkb;
     if (new_target_memkb > memorykb) {
         LIBXL__LOG(ctx, LIBXL__LOG_ERROR,

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Stefano Stabellini writes ("[Xen-devel] [PATCH] libxl: fix unsafe
subtraction in libxl_set_memory_target"):
> The current libxl_set_memory_target function subtracts a negative amount
> from an uint32_t variable without checking if the operation wraps
> around.
> 
> This patch fixes this bug (that I previously believed to be an
> hypervisor issue):
> http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1729
Applied, thanks.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel