From: Jan Beulich <jbeulich@suse.com>
To: "xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>
Cc: "Andrew Cooper" <andrew.cooper3@citrix.com>,
"Wei Liu" <wl@xen.org>, "Roger Pau Monné" <roger.pau@citrix.com>,
"Juergen Gross" <jgross@suse.com>,
"George Dunlap" <george.dunlap@citrix.com>,
"Ian Jackson" <iwj@xenproject.org>
Subject: [PATCH v2 07/13] libxenguest: guard against overflow from too large p2m when checkpointing
Date: Mon, 5 Jul 2021 17:15:00 +0200 [thread overview]
Message-ID: <952285d1-9fc3-ab03-f6e4-c7946805e4a4@suse.com> (raw)
In-Reply-To: <0bebfe8c-6897-dc8b-7fe0-9127d4996eb8@suse.com>
struct xc_sr_record's length field has just 32 bits. Fill it early and
check that the calculated value hasn't overflowed. Additionally check
for counter overflow early - there's no point even trying to allocate
any memory in such an event.
While there also limit an induction variable's type to unsigned long:
There's no gain from it being uint64_t.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
---
Of course looping over test_bit() is pretty inefficient, but given that
I have no idea how to test this code I wanted to restrict changes to
what can sensibly be seen as no worse than before from just looking at
the changes.
--- a/tools/libs/guest/xg_sr_restore.c
+++ b/tools/libs/guest/xg_sr_restore.c
@@ -450,7 +450,8 @@ static int send_checkpoint_dirty_pfn_lis
xc_interface *xch = ctx->xch;
int rc = -1;
unsigned int count, written;
- uint64_t i, *pfns = NULL;
+ unsigned long i;
+ uint64_t *pfns = NULL;
struct iovec *iov = NULL;
struct xc_sr_record rec = {
.type = REC_TYPE_CHECKPOINT_DIRTY_PFN_LIST,
@@ -469,16 +470,28 @@ static int send_checkpoint_dirty_pfn_lis
for ( i = 0, count = 0; i < ctx->restore.p2m_size; i++ )
{
- if ( test_bit(i, dirty_bitmap) )
- count++;
+ if ( test_bit(i, dirty_bitmap) && !++count )
+ break;
}
+ if ( i < ctx->restore.p2m_size )
+ {
+ ERROR("Too many dirty pfns");
+ goto err;
+ }
+
+ rec.length = count * sizeof(*pfns);
+ if ( rec.length / sizeof(*pfns) != count )
+ {
+ ERROR("Too many (%u) dirty pfns", count);
+ goto err;
+ }
- pfns = malloc(count * sizeof(*pfns));
+ pfns = malloc(rec.length);
if ( !pfns )
{
- ERROR("Unable to allocate %zu bytes of memory for dirty pfn list",
- count * sizeof(*pfns));
+ ERROR("Unable to allocate %u bytes of memory for dirty pfn list",
+ rec.length);
goto err;
}
@@ -504,8 +517,6 @@ static int send_checkpoint_dirty_pfn_lis
goto err;
}
- rec.length = count * sizeof(*pfns);
-
iov[0].iov_base = &rec.type;
iov[0].iov_len = sizeof(rec.type);
@@ -513,7 +524,7 @@ static int send_checkpoint_dirty_pfn_lis
iov[1].iov_len = sizeof(rec.length);
iov[2].iov_base = pfns;
- iov[2].iov_len = count * sizeof(*pfns);
+ iov[2].iov_len = rec.length;
if ( writev_exact(ctx->restore.send_back_fd, iov, 3) )
{
next prev parent reply other threads:[~2021-07-05 15:15 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-05 15:09 [PATCH v2 00/13] x86: more or less log-dirty related improvements Jan Beulich
2021-07-05 15:11 ` [PATCH v2 01/13] libxl/x86: check return value of SHADOW_OP_SET_ALLOCATION domctl Jan Beulich
2021-07-16 13:03 ` Anthony PERARD
2021-07-05 15:12 ` [PATCH v2 02/13] libxc: split xc_logdirty_control() from xc_shadow_control() Jan Beulich
2021-08-19 9:11 ` Juergen Gross
2021-08-19 9:24 ` Jan Beulich
2021-08-19 9:50 ` Juergen Gross
2021-09-02 17:04 ` [PATCH v2 02/13] libxc: split xc_logdirty_control() from xc_shadow_control() [and 1 more messages] Ian Jackson
2021-07-05 15:13 ` [PATCH v2 03/13] libxenguest: deal with log-dirty op stats overflow Jan Beulich
2021-07-05 15:41 ` Andrew Cooper
2021-07-05 15:53 ` Jan Beulich
2021-07-05 17:26 ` Olaf Hering
2021-07-06 6:39 ` Jan Beulich
2021-07-06 6:46 ` Olaf Hering
2021-07-06 6:58 ` Jan Beulich
2021-07-06 7:15 ` Olaf Hering
2021-08-19 10:20 ` Juergen Gross
2021-08-19 11:06 ` Jan Beulich
2021-08-19 11:25 ` Juergen Gross
2021-08-19 11:51 ` Jan Beulich
2021-08-19 11:53 ` Jan Beulich
2021-09-02 16:57 ` Ian Jackson
2021-08-19 14:29 ` Juergen Gross
2021-07-05 15:13 ` [PATCH v2 04/13] libxenguest: short-circuit "all-dirty" handling Jan Beulich
2021-08-19 14:21 ` Juergen Gross
2021-07-05 15:14 ` [PATCH v2 05/13] libxenguest: avoid allocating unused deferred-pages bitmap Jan Beulich
2021-08-19 14:22 ` Juergen Gross
2021-07-05 15:14 ` [PATCH v2 06/13] libxenguest: complete loops in xc_map_domain_meminfo() Jan Beulich
2021-07-05 15:15 ` Jan Beulich [this message]
2021-07-05 15:15 ` [PATCH v2 08/13] libxenguest: fix off-by-1 in colo-secondary-bitmap merging Jan Beulich
2021-07-05 15:15 ` [PATCH v2 09/13] libxenguest: restrict PV guest size Jan Beulich
2021-07-05 15:16 ` [PATCH v2 10/13] libxc: simplify HYPERCALL_BUFFER() Jan Beulich
2021-07-05 15:47 ` Andrew Cooper
2021-07-05 15:17 ` [PATCH v2 11/13] x86/paging: supply more useful log-dirty page count Jan Beulich
2021-07-05 15:18 ` [PATCH v2 12/13] x86/mm: update log-dirty bitmap when manipulating P2M Jan Beulich
2021-07-05 15:18 ` [PATCH v2 13/13] SUPPORT.md: write down restriction of 32-bit tool stacks Jan Beulich
2021-07-14 18:16 ` Julien Grall
2021-07-15 6:38 ` Jan Beulich
2021-07-15 9:05 ` Julien Grall
2021-07-15 11:36 ` Jan Beulich
2021-07-16 7:50 ` Julien Grall
2021-07-19 7:46 ` Ping: [PATCH v2 00/13] x86: more or less log-dirty related improvements Jan Beulich
2021-08-13 9:24 ` Jan Beulich
2021-08-20 7:20 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=952285d1-9fc3-ab03-f6e4-c7946805e4a4@suse.com \
--to=jbeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=george.dunlap@citrix.com \
--cc=iwj@xenproject.org \
--cc=jgross@suse.com \
--cc=roger.pau@citrix.com \
--cc=wl@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).