xen/25855-tmem-xsa-15-6.patch

# HG changeset patch
# User Jan Beulich <jbeulich@suse.com>
# Date 1347365879 -7200
# Node ID 33b8c42a87ec2fa6e6533dd9ee7603f732b168f5
# Parent  ccd60ed6c555e1816cac448fcb20a84533977b43
tmem: detect arithmetic overflow in tmh_copy_{from,to}_client()

This implies adjusting callers to deal with errors other than -EFAULT
and removing some comments which would otherwise become stale.

Reported-by: Tim Deegan <tim@xen.org>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com>

--- a/xen/common/tmem.c
+++ b/xen/common/tmem.c
@@ -1535,7 +1535,7 @@ copy_uncompressed:
     /* tmh_copy_from_client properly handles len==0 and offsets != 0 */
     ret = tmh_copy_from_client(pgp->pfp, cmfn, tmem_offset, pfn_offset, len,
                                tmh_cli_buf_null);
-    if ( ret == -EFAULT )
+    if ( ret < 0 )
         goto bad_copy;
     if ( tmh_dedup_enabled() && !is_persistent(pool) )
     {
@@ -1556,9 +1556,7 @@ done:
     return 1;
 
 bad_copy:
-    /* this should only happen if the client passed a bad mfn */
     failed_copies++;
-    ret = -EFAULT;
     goto cleanup;
 
 failed_dup:
@@ -1662,7 +1660,7 @@ copy_uncompressed:
     /* tmh_copy_from_client properly handles len==0 (TMEM_NEW_PAGE) */
     ret = tmh_copy_from_client(pgp->pfp, cmfn, tmem_offset, pfn_offset, len,
                                clibuf);
-    if ( ret == -EFAULT )
+    if ( ret < 0 )
         goto bad_copy;
     if ( tmh_dedup_enabled() && !is_persistent(pool) )
     {
@@ -1702,8 +1700,6 @@ insert_page:
     return 1;
 
 bad_copy:
-    /* this should only happen if the client passed a bad mfn */
-    ret = -EFAULT;
     failed_copies++;
 
 delete_and_free:
@@ -1737,7 +1733,7 @@ static NOINLINE int do_tmem_get(pool_t *
     pgp_t *pgp;
     client_t *client = pool->client;
     DECL_LOCAL_CYC_COUNTER(decompress);
-    int rc = -EFAULT;
+    int rc;
 
     if ( !_atomic_read(pool->pgp_count) )
         return -EEMPTY;
@@ -1761,20 +1757,20 @@ static NOINLINE int do_tmem_get(pool_t *
     ASSERT(pgp->size != -1);
     if ( tmh_dedup_enabled() && !is_persistent(pool) &&
               pgp->firstbyte != NOT_SHAREABLE )
-    {
         rc = pcd_copy_to_client(cmfn, pgp);
-        if ( rc <= 0 )
-            goto bad_copy;
-    } else if ( pgp->size != 0 ) {
+    else if ( pgp->size != 0 )
+    {
         START_CYC_COUNTER(decompress);
         rc = tmh_decompress_to_client(cmfn, pgp->cdata,
                                       pgp->size, clibuf);
-        if ( rc <= 0 )
-            goto bad_copy;
         END_CYC_COUNTER(decompress);
-    } else if ( tmh_copy_to_client(cmfn, pgp->pfp, tmem_offset,
-                                 pfn_offset, len, clibuf) == -EFAULT)
+    }
+    else
+        rc = tmh_copy_to_client(cmfn, pgp->pfp, tmem_offset,
+                                pfn_offset, len, clibuf);
+    if ( rc <= 0 )
         goto bad_copy;
+
     if ( is_ephemeral(pool) )
     {
         if ( is_private(pool) )
@@ -1811,7 +1807,6 @@ static NOINLINE int do_tmem_get(pool_t *
     return 1;
 
 bad_copy:
-    /* this should only happen if the client passed a bad mfn */
     failed_copies++;
     return rc;
 }
--- a/xen/common/tmem_xen.c
+++ b/xen/common/tmem_xen.c
@@ -153,6 +153,8 @@ EXPORT int tmh_copy_from_client(pfp_t *p
     pfp_t *cli_pfp = NULL;
     int rc = 1;
 
+    if ( tmem_offset > PAGE_SIZE || pfn_offset > PAGE_SIZE || len > PAGE_SIZE )
+        return -EINVAL;
     ASSERT(pfp != NULL);
     tmem_mfn = page_to_mfn(pfp);
     tmem_va = map_domain_page(tmem_mfn);
@@ -183,6 +185,8 @@ EXPORT int tmh_copy_from_client(pfp_t *p
                                          pfn_offset, len) )
             rc = -EFAULT;
     }
+    else if ( len )
+        rc = -EINVAL;
     if ( cli_va )
         cli_put_page(cmfn, cli_va, cli_pfp, cli_mfn, 0);
     unmap_domain_page(tmem_va);
@@ -230,6 +234,8 @@ EXPORT int tmh_copy_to_client(tmem_cli_m
     pfp_t *cli_pfp = NULL;
     int rc = 1;
 
+    if ( tmem_offset > PAGE_SIZE || pfn_offset > PAGE_SIZE || len > PAGE_SIZE )
+        return -EINVAL;
     ASSERT(pfp != NULL);
     if ( guest_handle_is_null(clibuf) )
     {
@@ -249,6 +255,8 @@ EXPORT int tmh_copy_to_client(tmem_cli_m
                                        tmem_va + tmem_offset, len) )
             rc = -EFAULT;
     }
+    else if ( len )
+        rc = -EINVAL;
     unmap_domain_page(tmem_va);
     if ( cli_va )
         cli_put_page(cmfn, cli_va, cli_pfp, cli_mfn, 1);
- Upstream patches from Jan 25833-32on64-bogus-pt_base-adjust.patch 25835-adjust-rcu-lock-domain.patch 25836-VT-d-S3-MSI-resume.patch 25850-tmem-xsa-15-1.patch 25851-tmem-xsa-15-2.patch 25852-tmem-xsa-15-3.patch 25853-tmem-xsa-15-4.patch 25854-tmem-xsa-15-5.patch 25855-tmem-xsa-15-6.patch 25856-tmem-xsa-15-7.patch 25857-tmem-xsa-15-8.patch 25858-tmem-xsa-15-9.patch 25859-tmem-missing-break.patch 25860-tmem-cleanup.patch 25861-x86-early-fixmap.patch 25862-sercon-non-com.patch 25863-sercon-ehci-dbgp.patch 25864-sercon-unused.patch 25866-sercon-ns16550-pci-irq.patch 25867-sercon-ns16550-parse.patch 25874-x86-EFI-chain-cfg.patch 25909-xenpm-consistent.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=201 2012-09-21 14:45:08 +00:00			`# HG changeset patch`
			`# User Jan Beulich <jbeulich@suse.com>`
			`# Date 1347365879 -7200`
			`# Node ID 33b8c42a87ec2fa6e6533dd9ee7603f732b168f5`
			`# Parent ccd60ed6c555e1816cac448fcb20a84533977b43`
			`tmem: detect arithmetic overflow in tmh_copy_{from,to}_client()`

			`This implies adjusting callers to deal with errors other than -EFAULT`
			`and removing some comments which would otherwise become stale.`

			`Reported-by: Tim Deegan <tim@xen.org>`
			`Signed-off-by: Jan Beulich <jbeulich@suse.com>`
			`Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com>`

			`--- a/xen/common/tmem.c`
			`+++ b/xen/common/tmem.c`
			`@@ -1535,7 +1535,7 @@ copy_uncompressed:`
			`/* tmh_copy_from_client properly handles len==0 and offsets != 0 */`
			`ret = tmh_copy_from_client(pgp->pfp, cmfn, tmem_offset, pfn_offset, len,`
			`tmh_cli_buf_null);`
			`- if ( ret == -EFAULT )`
			`+ if ( ret < 0 )`
			`goto bad_copy;`
			`if ( tmh_dedup_enabled() && !is_persistent(pool) )`
			`{`
			`@@ -1556,9 +1556,7 @@ done:`
			`return 1;`

			`bad_copy:`
			`- /* this should only happen if the client passed a bad mfn */`
			`failed_copies++;`
			`- ret = -EFAULT;`
			`goto cleanup;`

			`failed_dup:`
			`@@ -1662,7 +1660,7 @@ copy_uncompressed:`
			`/* tmh_copy_from_client properly handles len==0 (TMEM_NEW_PAGE) */`
			`ret = tmh_copy_from_client(pgp->pfp, cmfn, tmem_offset, pfn_offset, len,`
			`clibuf);`
			`- if ( ret == -EFAULT )`
			`+ if ( ret < 0 )`
			`goto bad_copy;`
			`if ( tmh_dedup_enabled() && !is_persistent(pool) )`
			`{`
			`@@ -1702,8 +1700,6 @@ insert_page:`
			`return 1;`

			`bad_copy:`
			`- /* this should only happen if the client passed a bad mfn */`
			`- ret = -EFAULT;`
			`failed_copies++;`

			`delete_and_free:`
			`@@ -1737,7 +1733,7 @@ static NOINLINE int do_tmem_get(pool_t *`
			`pgp_t *pgp;`
			`client_t *client = pool->client;`
			`DECL_LOCAL_CYC_COUNTER(decompress);`
			`- int rc = -EFAULT;`
			`+ int rc;`

			`if ( !_atomic_read(pool->pgp_count) )`
			`return -EEMPTY;`
			`@@ -1761,20 +1757,20 @@ static NOINLINE int do_tmem_get(pool_t *`
			`ASSERT(pgp->size != -1);`
			`if ( tmh_dedup_enabled() && !is_persistent(pool) &&`
			`pgp->firstbyte != NOT_SHAREABLE )`
			`- {`
			`rc = pcd_copy_to_client(cmfn, pgp);`
			`- if ( rc <= 0 )`
			`- goto bad_copy;`
			`- } else if ( pgp->size != 0 ) {`
			`+ else if ( pgp->size != 0 )`
			`+ {`
			`START_CYC_COUNTER(decompress);`
			`rc = tmh_decompress_to_client(cmfn, pgp->cdata,`
			`pgp->size, clibuf);`
			`- if ( rc <= 0 )`
			`- goto bad_copy;`
			`END_CYC_COUNTER(decompress);`
			`- } else if ( tmh_copy_to_client(cmfn, pgp->pfp, tmem_offset,`
			`- pfn_offset, len, clibuf) == -EFAULT)`
			`+ }`
			`+ else`
			`+ rc = tmh_copy_to_client(cmfn, pgp->pfp, tmem_offset,`
			`+ pfn_offset, len, clibuf);`
			`+ if ( rc <= 0 )`
			`goto bad_copy;`
			`+`
			`if ( is_ephemeral(pool) )`
			`{`
			`if ( is_private(pool) )`
			`@@ -1811,7 +1807,6 @@ static NOINLINE int do_tmem_get(pool_t *`
			`return 1;`

			`bad_copy:`
			`- /* this should only happen if the client passed a bad mfn */`
			`failed_copies++;`
			`return rc;`
			`}`
			`--- a/xen/common/tmem_xen.c`
			`+++ b/xen/common/tmem_xen.c`
			`@@ -153,6 +153,8 @@ EXPORT int tmh_copy_from_client(pfp_t *p`
			`pfp_t *cli_pfp = NULL;`
			`int rc = 1;`

			`+ if ( tmem_offset > PAGE_SIZE \|\| pfn_offset > PAGE_SIZE \|\| len > PAGE_SIZE )`
			`+ return -EINVAL;`
			`ASSERT(pfp != NULL);`
			`tmem_mfn = page_to_mfn(pfp);`
			`tmem_va = map_domain_page(tmem_mfn);`
			`@@ -183,6 +185,8 @@ EXPORT int tmh_copy_from_client(pfp_t *p`
			`pfn_offset, len) )`
			`rc = -EFAULT;`
			`}`
			`+ else if ( len )`
			`+ rc = -EINVAL;`
			`if ( cli_va )`
			`cli_put_page(cmfn, cli_va, cli_pfp, cli_mfn, 0);`
			`unmap_domain_page(tmem_va);`
			`@@ -230,6 +234,8 @@ EXPORT int tmh_copy_to_client(tmem_cli_m`
			`pfp_t *cli_pfp = NULL;`
			`int rc = 1;`

			`+ if ( tmem_offset > PAGE_SIZE \|\| pfn_offset > PAGE_SIZE \|\| len > PAGE_SIZE )`
			`+ return -EINVAL;`
			`ASSERT(pfp != NULL);`
			`if ( guest_handle_is_null(clibuf) )`
			`{`
			`@@ -249,6 +255,8 @@ EXPORT int tmh_copy_to_client(tmem_cli_m`
			`tmem_va + tmem_offset, len) )`
			`rc = -EFAULT;`
			`}`
			`+ else if ( len )`
			`+ rc = -EINVAL;`
			`unmap_domain_page(tmem_va);`
			`if ( cli_va )`
			`cli_put_page(cmfn, cli_va, cli_pfp, cli_mfn, 1);`