From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Cc: Michael Roth <mdroth@linux.vnet.ibm.com>,
qemu-stable@nongnu.org,
Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Subject: [Qemu-devel] [PATCH 05/35] xen/blkif: Avoid double access to src->nr_segments
Date: Mon, 21 Mar 2016 12:28:03 -0500 [thread overview]
Message-ID: <1458581313-19045-6-git-send-email-mdroth@linux.vnet.ibm.com> (raw)
In-Reply-To: <1458581313-19045-1-git-send-email-mdroth@linux.vnet.ibm.com>
From: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
src is stored in shared memory and src->nr_segments is dereferenced
twice at the end of the function. If a compiler decides to compile this
into two separate memory accesses then the size limitation could be
bypassed.
Fix it by removing the double access to src->nr_segments.
This is part of XSA-155.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
(cherry picked from commit f9e98e5d7a67367b862941e339a98b8322fa0cea)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
hw/block/xen_blkif.h | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/hw/block/xen_blkif.h b/hw/block/xen_blkif.h
index 711b692..c68487cb 100644
--- a/hw/block/xen_blkif.h
+++ b/hw/block/xen_blkif.h
@@ -85,8 +85,10 @@ static inline void blkif_get_x86_32_req(blkif_request_t *dst, blkif_x86_32_reque
d->nr_sectors = s->nr_sectors;
return;
}
- if (n > src->nr_segments)
- n = src->nr_segments;
+ /* prevent the compiler from optimizing the code and using src->nr_segments instead */
+ barrier();
+ if (n > dst->nr_segments)
+ n = dst->nr_segments;
for (i = 0; i < n; i++)
dst->seg[i] = src->seg[i];
}
@@ -106,8 +108,10 @@ static inline void blkif_get_x86_64_req(blkif_request_t *dst, blkif_x86_64_reque
d->nr_sectors = s->nr_sectors;
return;
}
- if (n > src->nr_segments)
- n = src->nr_segments;
+ /* prevent the compiler from optimizing the code and using src->nr_segments instead */
+ barrier();
+ if (n > dst->nr_segments)
+ n = dst->nr_segments;
for (i = 0; i < n; i++)
dst->seg[i] = src->seg[i];
}
--
1.9.1
next prev parent reply other threads:[~2016-03-21 17:30 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-21 17:27 [Qemu-devel] [PATCH 00/35] Patch Round-up for stable 2.5.1, freeze on 2016-03-25 Michael Roth
2016-03-21 17:27 ` [Qemu-devel] [PATCH 01/35] ehci: make idt processing more robust Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 02/35] net: vmxnet3: avoid memory leakage in activate_device Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 03/35] target-ppc: kvm: fix floating point registers sync on little-endian hosts Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 04/35] configure: Fix shell syntax to placate OpenBSD's pdksh Michael Roth
2016-03-21 17:28 ` Michael Roth [this message]
2016-03-21 17:28 ` [Qemu-devel] [PATCH 06/35] xenfb: avoid reading twice the same fields from the shared page Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 07/35] virtio-9p: use accessor to get thread_pool Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 08/35] scsi: initialise info object with appropriate size Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 09/35] ivshmem: no need for opaque argument Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 10/35] ivshmem: remove redundant assignment, fix crash with msi=off Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 11/35] net: rocker: fix an incorrect array bounds check Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 12/35] block: Add blk_dev_has_tray() Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 13/35] blockdev: Fix 'change' for slot devices Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 14/35] net/dump: fix nfds->filename leak Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 15/35] net/filter: fix nf->netdev_id leak Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 16/35] net: ne2000: check ring buffer control registers Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 17/35] net: set endianness on all backend devices Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 18/35] ehci: update irq on reset Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 19/35] block/raw-posix: avoid bogus fixup for cylinders on DASD disks Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 20/35] s390x/ioinst: set type and len for SEI response Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 21/35] s390x/css: fix control flags during csch Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 22/35] fw_cfg: avoid calculating invalid current entry pointer Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 23/35] cpus: use broadcast on qemu_pause_cond Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 24/35] qmp: Fix reference-counting of qnull on empty output visit Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 25/35] block: set device_list.tqe_prev to NULL on BDS removal Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 26/35] block: qemu-iotests - add test for snapshot, commit, snapshot bug Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 27/35] e1000: eliminate infinite loops on out-of-bounds transfer start Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 28/35] spapr: skip configuration section during migration of older machines Michael Roth
2016-03-22 7:49 ` [Qemu-devel] [Qemu-stable] " Greg Kurz
2016-03-22 22:35 ` Michael Roth
2016-03-23 7:59 ` Greg Kurz
2016-03-21 17:28 ` [Qemu-devel] [PATCH 29/35] hw/virtio: fix double use of a virtio flag Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 30/35] hw/virtio: group virtio flags into an enum Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 31/35] fw_cfg: unbreak migration compatibility for 2.4 and earlier machines Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 32/35] vhost-user: don't merge regions with different fds Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 33/35] target-arm: Make reserved ranges in ID_AA64* spaces RAZ, not UNDEF Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 34/35] quorum: Fix crash in quorum_aio_cb() Michael Roth
2016-03-21 17:28 ` [Qemu-devel] [PATCH 35/35] vl.c: Fix regression in machine error message Michael Roth
2016-03-21 19:32 ` [Qemu-devel] [Qemu-stable] [PATCH 00/35] Patch Round-up for stable 2.5.1, freeze on 2016-03-25 Cole Robinson
2016-03-22 22:47 ` Michael Roth
2016-03-22 10:00 ` Peter Lieven
2016-03-22 22:45 ` Michael Roth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1458581313-19045-6-git-send-email-mdroth@linux.vnet.ibm.com \
--to=mdroth@linux.vnet.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=stefano.stabellini@eu.citrix.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.