From: Don Slutz <dslutz@verizon.com>
To: xen-devel@lists.xen.org
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
Keir Fraser <keir@xen.org>, Don Slutz <dslutz@verizon.com>,
Jan Beulich <jbeulich@suse.com>
Subject: [PATCH 1/1] x86/hvm: prevent hvm_free_ioreq_gmfn() clobber of arbitrary memory
Date: Mon, 13 Apr 2015 12:01:43 -0400 [thread overview]
Message-ID: <1428940903-18302-1-git-send-email-dslutz@verizon.com> (raw)
This will prevent a hard to track down bug. It is related to
commit ffdb781883abd3215287ba1b1853f3d437d1240c
x86/hvm: prevent gcc uninitialised var warning
Which will preset "gmfn" to ~0UL.
This code will check if there is a path where bufioreq_pfn is passed
to hvm_free_ioreq_gmfn() and it is uninitialised, the BUG_ON will
report it.
Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Don Slutz <dslutz@verizon.com>
---
xen/arch/x86/hvm/hvm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index ade99c0..0abac7c 100644
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -536,8 +536,9 @@ static int hvm_alloc_ioreq_gmfn(struct domain *d, unsigned long *gmfn)
static void hvm_free_ioreq_gmfn(struct domain *d, unsigned long gmfn)
{
- unsigned int i = gmfn - d->arch.hvm_domain.ioreq_gmfn.base;
+ unsigned long i = gmfn - d->arch.hvm_domain.ioreq_gmfn.base;
+ BUG_ON(i >= sizeof(d->arch.hvm_domain.ioreq_gmfn.mask) * 8);
clear_bit(i, &d->arch.hvm_domain.ioreq_gmfn.mask);
}
--
1.8.4
next reply other threads:[~2015-04-13 16:01 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-13 16:01 Don Slutz [this message]
2015-04-14 11:47 ` [PATCH 1/1] x86/hvm: prevent hvm_free_ioreq_gmfn() clobber of arbitrary memory Jan Beulich
2015-04-14 13:17 ` Andrew Cooper
2015-04-14 22:54 ` Don Slutz
2015-04-16 10:53 ` Tim Deegan
2015-04-16 11:32 ` Jan Beulich
2015-04-16 16:37 ` Tim Deegan
2015-04-16 18:44 ` Andrew Cooper
2015-04-17 7:45 ` Jan Beulich
2015-04-23 13:25 Paul Durrant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1428940903-18302-1-git-send-email-dslutz@verizon.com \
--to=dslutz@verizon.com \
--cc=andrew.cooper3@citrix.com \
--cc=jbeulich@suse.com \
--cc=keir@xen.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.