Jan Beulich
2012-Sep-18 15:24 UTC
[PATCH] x86: properly check XEN_DOMCTL_ioport_mapping arguments for invalid range
In particular, the case of "np" being a very large value
wasn''t handled
correctly. The range start checks also were off by one (except that in
practice, when "np" is properly range checked, this would still have
been caught by the range end checks).
Also, is a GFN wrap in XEN_DOMCTL_memory_mapping really okay?
Signed-off-by: Jan Beulich <jbeulich@suse.com>
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -884,7 +884,7 @@ long arch_do_domctl(
int found = 0;
ret = -EINVAL;
- if ( (np == 0) || (fgp > MAX_IOPORTS) || (fmp > MAX_IOPORTS) ||
+ if ( ((fgp | fmp | (np - 1)) >= MAX_IOPORTS) ||
((fgp + np) > MAX_IOPORTS) || ((fmp + np) > MAX_IOPORTS) )
{
printk(XENLOG_G_ERR
Keir Fraser
2012-Sep-18 15:39 UTC
Re: [PATCH] x86: properly check XEN_DOMCTL_ioport_mapping arguments for invalid range
On 18/09/2012 16:24, "Jan Beulich" <JBeulich@suse.com> wrote:> In particular, the case of "np" being a very large value wasn''t handled > correctly. The range start checks also were off by one (except that in > practice, when "np" is properly range checked, this would still have > been caught by the range end checks). > > Also, is a GFN wrap in XEN_DOMCTL_memory_mapping really okay?Probably worth fixing?> Signed-off-by: Jan Beulich <jbeulich@suse.com>Acked-by: Keir Fraser <keir@xen.org>> --- a/xen/arch/x86/domctl.c > +++ b/xen/arch/x86/domctl.c > @@ -884,7 +884,7 @@ long arch_do_domctl( > int found = 0; > > ret = -EINVAL; > - if ( (np == 0) || (fgp > MAX_IOPORTS) || (fmp > MAX_IOPORTS) || > + if ( ((fgp | fmp | (np - 1)) >= MAX_IOPORTS) || > ((fgp + np) > MAX_IOPORTS) || ((fmp + np) > MAX_IOPORTS) ) > { > printk(XENLOG_G_ERR > > > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xen.org > http://lists.xen.org/xen-devel