* [PATCH] xen: arm: Avoid reading beyond the last module
@ 2015-07-16 21:41 Chris (Christopher) Brand
2015-07-17 10:14 ` Julien Grall
0 siblings, 1 reply; 6+ messages in thread
From: Chris (Christopher) Brand @ 2015-07-16 21:41 UTC (permalink / raw)
To: xen-devel
[-- Attachment #1.1: Type: text/plain, Size: 1458 bytes --]
nr_mods is set in add_boot_module() to the number of module
array elements used. This function also ensures that nr_mods
never exceeds MAX_MODULES (the size of the array). When looping
through the array, the correct maximum index is "nr_mods-1",
not "nr_mods". If the array is full, using the latter will in
fact access beyond the end of the array.
This was done correctly in boot_module_find_by_kind() and
consider_modules() but incorrectly in discard_initial_modules()
and next_module().
Signed-off-by: Chris Brand <chris.brand@broadcom.com>
---
xen/arch/arm/setup.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c
index 06f8e54b1f04..5daa6db919ac 100644
--- a/xen/arch/arm/setup.c
+++ b/xen/arch/arm/setup.c
@@ -250,7 +250,7 @@ void __init discard_initial_modules(void)
struct bootmodules *mi = &bootinfo.modules;
int i;
- for ( i = 0; i <= mi->nr_mods; i++ )
+ for ( i = 0; i < mi->nr_mods; i++ )
{
paddr_t s = mi->module[i].start;
paddr_t e = s + PAGE_ALIGN(mi->module[i].size);
@@ -350,7 +350,7 @@ static paddr_t __init next_module(paddr_t s, paddr_t *end)
paddr_t lowest = ~(paddr_t)0;
int i;
- for ( i = 0; i <= mi->nr_mods; i++ )
+ for ( i = 0; i < mi->nr_mods; i++ )
{
paddr_t mod_s = mi->module[i].start;
paddr_t mod_e = mod_s + mi->module[i].size;
--
1.9.1
[-- Attachment #1.2: Type: text/html, Size: 8513 bytes --]
[-- Attachment #2: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [PATCH] xen: arm: Avoid reading beyond the last module
2015-07-16 21:41 [PATCH] xen: arm: Avoid reading beyond the last module Chris (Christopher) Brand
@ 2015-07-17 10:14 ` Julien Grall
2015-07-17 22:15 ` Chris (Christopher) Brand
0 siblings, 1 reply; 6+ messages in thread
From: Julien Grall @ 2015-07-17 10:14 UTC (permalink / raw)
To: Chris (Christopher) Brand, xen-devel, Ian Campbell, Stefano Stabellini
Hi Christopher,
Thank you for the patch.
It looks like the mail as been sent in HTML. Can you resend it in plain
text?
You also need to cc the maintainers of the code you are modifying (I've
CCed them this time).
You can give a look to [1] to know how to send correctly the patch.
On 16/07/15 22:41, Chris (Christopher) Brand wrote:
> nr_mods is set in add_boot_module() to the number of module
>
> array elements used. This function also ensures that nr_mods
>
> never exceeds MAX_MODULES (the size of the array). When looping
>
> through the array, the correct maximum index is "nr_mods-1",
>
> not "nr_mods". If the array is full, using the latter will in
>
> fact access beyond the end of the array.
>
> This was done correctly in boot_module_find_by_kind() and
>
> consider_modules() but incorrectly in discard_initial_modules()
>
> and next_module().
>
>
>
> Signed-off-by: Chris Brand <chris.brand@broadcom.com>
The patch looks good to me. I think it's a candidate to backport in Xen 4.5.
Regards,
[1] http://wiki.xenproject.org/wiki/Submitting_Xen_Project_Patches
--
Julien Grall
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] xen: arm: Avoid reading beyond the last module
@ 2015-07-17 20:48 Chris (Christopher) Brand
2015-07-20 12:32 ` Julien Grall
0 siblings, 1 reply; 6+ messages in thread
From: Chris (Christopher) Brand @ 2015-07-17 20:48 UTC (permalink / raw)
To: xen-devel; +Cc: Julien Grall, Ian Campbell, Stefano Stabellini
nr_mods is set in add_boot_module() to the number of module
array elements used. This function also ensures that nr_mods
never exceeds MAX_MODULES (the size of the array). When looping
through the array, the correct maximum index is "nr_mods-1",
not "nr_mods". If the array is full, using the latter will in
fact access beyond the end of the array.
This was done correctly in boot_module_find_by_kind() and
consider_modules() but incorrectly in discard_initial_modules()
and next_module().
Signed-off-by: Chris Brand <chris.brand@broadcom.com>
---
xen/arch/arm/setup.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c
index 06f8e54b1f04..5daa6db919ac 100644
--- a/xen/arch/arm/setup.c
+++ b/xen/arch/arm/setup.c
@@ -250,7 +250,7 @@ void __init discard_initial_modules(void)
struct bootmodules *mi = &bootinfo.modules;
int i;
- for ( i = 0; i <= mi->nr_mods; i++ )
+ for ( i = 0; i < mi->nr_mods; i++ )
{
paddr_t s = mi->module[i].start;
paddr_t e = s + PAGE_ALIGN(mi->module[i].size);
@@ -350,7 +350,7 @@ static paddr_t __init next_module(paddr_t s, paddr_t *end)
paddr_t lowest = ~(paddr_t)0;
int i;
- for ( i = 0; i <= mi->nr_mods; i++ )
+ for ( i = 0; i < mi->nr_mods; i++ )
{
paddr_t mod_s = mi->module[i].start;
paddr_t mod_e = mod_s + mi->module[i].size;
--
1.9.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [PATCH] xen: arm: Avoid reading beyond the last module
2015-07-17 20:48 Chris (Christopher) Brand
@ 2015-07-20 12:32 ` Julien Grall
2015-07-21 14:49 ` Ian Campbell
0 siblings, 1 reply; 6+ messages in thread
From: Julien Grall @ 2015-07-20 12:32 UTC (permalink / raw)
To: Chris (Christopher) Brand, xen-devel; +Cc: Ian Campbell, Stefano Stabellini
Hi Chris,
On 17/07/15 21:48, Chris (Christopher) Brand wrote:
> nr_mods is set in add_boot_module() to the number of module
> array elements used. This function also ensures that nr_mods
> never exceeds MAX_MODULES (the size of the array). When looping
> through the array, the correct maximum index is "nr_mods-1",
> not "nr_mods". If the array is full, using the latter will in
> fact access beyond the end of the array.
> This was done correctly in boot_module_find_by_kind() and
> consider_modules() but incorrectly in discard_initial_modules()
> and next_module().
>
> Signed-off-by: Chris Brand <chris.brand@broadcom.com>
Reviewed-by: Julien Grall <julien.grall@citrix.com>
Regards,
--
Julien Grall
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] xen: arm: Avoid reading beyond the last module
2015-07-20 12:32 ` Julien Grall
@ 2015-07-21 14:49 ` Ian Campbell
0 siblings, 0 replies; 6+ messages in thread
From: Ian Campbell @ 2015-07-21 14:49 UTC (permalink / raw)
To: Julien Grall, Chris (Christopher) Brand, xen-devel; +Cc: Stefano Stabellini
On Mon, 2015-07-20 at 13:32 +0100, Julien Grall wrote:
> Hi Chris,
>
> On 17/07/15 21:48, Chris (Christopher) Brand wrote:
> > nr_mods is set in add_boot_module() to the number of module
> > array elements used. This function also ensures that nr_mods
> > never exceeds MAX_MODULES (the size of the array). When looping
> > through the array, the correct maximum index is "nr_mods-1",
> > not "nr_mods". If the array is full, using the latter will in
> > fact access beyond the end of the array.
> > This was done correctly in boot_module_find_by_kind() and
> > consider_modules() but incorrectly in discard_initial_modules()
> > and next_module().
> >
> > Signed-off-by: Chris Brand <chris.brand@broadcom.com>
>
> Reviewed-by: Julien Grall <julien.grall@citrix.com>
Acked + applied.
Care should be taken when backporting since I think this off-by-one was
the result of us previously not including Xen in nr_mods despite it
being in the array or something like that (i..e the off-by-one used to
be correct).
Ian.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-07-21 14:49 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-07-16 21:41 [PATCH] xen: arm: Avoid reading beyond the last module Chris (Christopher) Brand
2015-07-17 10:14 ` Julien Grall
2015-07-17 22:15 ` Chris (Christopher) Brand
2015-07-17 20:48 Chris (Christopher) Brand
2015-07-20 12:32 ` Julien Grall
2015-07-21 14:49 ` Ian Campbell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).