Xen devel - Nov 2012 - [PATCH] tmem: Prevent NULL dereference on error case

If the client / pool IDs given to tmemc_save_get_next_page are invalid,
the calculation of pagesize will dereference NULL.

Fix this by moving the calculation below the appropriate NULL check.

Signed-off-by: Matthew Daley <mattjd@gmail.com>

diff --git a/xen/common/tmem.c b/xen/common/tmem.c
index 1280537..ec59009 100644
--- a/xen/common/tmem.c
+++ b/xen/common/tmem.c
@@ -2436,10 +2436,13 @@ static NOINLINE int tmemc_save_get_next_page(int cli_id,
uint32_t pool_id,
     OID oid;
     int ret = 0;
     struct tmem_handle h;
-    unsigned int pagesize = 1 << (pool->pageshift+12);
+    unsigned int pagesize;
 
     if ( pool == NULL || is_ephemeral(pool) )
         return -1;
+
+    pagesize = 1 << (pool->pageshift + 12);
+
     if ( bufsize < pagesize + sizeof(struct tmem_handle) )
         return -ENOMEM;
 
-- 
1.7.10.4

> From: Matthew Daley [mailto:mattjd@gmail.com]
> Subject: [PATCH] tmem: Prevent NULL dereference on error case
> 
> If the client / pool IDs given to tmemc_save_get_next_page are invalid,
> the calculation of pagesize will dereference NULL.
> 
> Fix this by moving the calculation below the appropriate NULL check.
> 
> Signed-off-by: Matthew Daley <mattjd@gmail.com>
Good catch!

Did you see this on an actual save/restore or just by inspection?
This should only happen as a result of a buggy toolstack so I''m
wondering if fixing this hides a toolstack bug.  In either case,
this should be fixed in the hypervisor.

Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com>
 
> diff --git a/xen/common/tmem.c b/xen/common/tmem.c
> index 1280537..ec59009 100644
> --- a/xen/common/tmem.c
> +++ b/xen/common/tmem.c
> @@ -2436,10 +2436,13 @@ static NOINLINE int tmemc_save_get_next_page(int
cli_id, uint32_t pool_id,
>      OID oid;
>      int ret = 0;
>      struct tmem_handle h;
> -    unsigned int pagesize = 1 << (pool->pageshift+12);
> +    unsigned int pagesize;
> 
>      if ( pool == NULL || is_ephemeral(pool) )
>          return -1;
> +
> +    pagesize = 1 << (pool->pageshift + 12);
> +
>      if ( bufsize < pagesize + sizeof(struct tmem_handle) )
>          return -ENOMEM;
> 
> --
> 1.7.10.4

On Tue, Nov 13, 2012 at 5:30 AM, Dan Magenheimer
<dan.magenheimer@oracle.com> wrote:
> Did you see this on an actual save/restore or just by inspection?
> This should only happen as a result of a buggy toolstack so I''m
> wondering if fixing this hides a toolstack bug.
Just by inspection of the hypervisor side, so there''s no need to worry
about the toolstack.

- Matthew