17854f1c81
25833-32on64-bogus-pt_base-adjust.patch 25835-adjust-rcu-lock-domain.patch 25836-VT-d-S3-MSI-resume.patch 25850-tmem-xsa-15-1.patch 25851-tmem-xsa-15-2.patch 25852-tmem-xsa-15-3.patch 25853-tmem-xsa-15-4.patch 25854-tmem-xsa-15-5.patch 25855-tmem-xsa-15-6.patch 25856-tmem-xsa-15-7.patch 25857-tmem-xsa-15-8.patch 25858-tmem-xsa-15-9.patch 25859-tmem-missing-break.patch 25860-tmem-cleanup.patch 25861-x86-early-fixmap.patch 25862-sercon-non-com.patch 25863-sercon-ehci-dbgp.patch 25864-sercon-unused.patch 25866-sercon-ns16550-pci-irq.patch 25867-sercon-ns16550-parse.patch 25874-x86-EFI-chain-cfg.patch 25909-xenpm-consistent.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=201
138 lines
4.4 KiB
Diff
138 lines
4.4 KiB
Diff
# HG changeset patch
|
|
# User Jan Beulich <jbeulich@suse.com>
|
|
# Date 1347365879 -7200
|
|
# Node ID 33b8c42a87ec2fa6e6533dd9ee7603f732b168f5
|
|
# Parent ccd60ed6c555e1816cac448fcb20a84533977b43
|
|
tmem: detect arithmetic overflow in tmh_copy_{from,to}_client()
|
|
|
|
This implies adjusting callers to deal with errors other than -EFAULT
|
|
and removing some comments which would otherwise become stale.
|
|
|
|
Reported-by: Tim Deegan <tim@xen.org>
|
|
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
|
Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com>
|
|
|
|
--- a/xen/common/tmem.c
|
|
+++ b/xen/common/tmem.c
|
|
@@ -1535,7 +1535,7 @@ copy_uncompressed:
|
|
/* tmh_copy_from_client properly handles len==0 and offsets != 0 */
|
|
ret = tmh_copy_from_client(pgp->pfp, cmfn, tmem_offset, pfn_offset, len,
|
|
tmh_cli_buf_null);
|
|
- if ( ret == -EFAULT )
|
|
+ if ( ret < 0 )
|
|
goto bad_copy;
|
|
if ( tmh_dedup_enabled() && !is_persistent(pool) )
|
|
{
|
|
@@ -1556,9 +1556,7 @@ done:
|
|
return 1;
|
|
|
|
bad_copy:
|
|
- /* this should only happen if the client passed a bad mfn */
|
|
failed_copies++;
|
|
- ret = -EFAULT;
|
|
goto cleanup;
|
|
|
|
failed_dup:
|
|
@@ -1662,7 +1660,7 @@ copy_uncompressed:
|
|
/* tmh_copy_from_client properly handles len==0 (TMEM_NEW_PAGE) */
|
|
ret = tmh_copy_from_client(pgp->pfp, cmfn, tmem_offset, pfn_offset, len,
|
|
clibuf);
|
|
- if ( ret == -EFAULT )
|
|
+ if ( ret < 0 )
|
|
goto bad_copy;
|
|
if ( tmh_dedup_enabled() && !is_persistent(pool) )
|
|
{
|
|
@@ -1702,8 +1700,6 @@ insert_page:
|
|
return 1;
|
|
|
|
bad_copy:
|
|
- /* this should only happen if the client passed a bad mfn */
|
|
- ret = -EFAULT;
|
|
failed_copies++;
|
|
|
|
delete_and_free:
|
|
@@ -1737,7 +1733,7 @@ static NOINLINE int do_tmem_get(pool_t *
|
|
pgp_t *pgp;
|
|
client_t *client = pool->client;
|
|
DECL_LOCAL_CYC_COUNTER(decompress);
|
|
- int rc = -EFAULT;
|
|
+ int rc;
|
|
|
|
if ( !_atomic_read(pool->pgp_count) )
|
|
return -EEMPTY;
|
|
@@ -1761,20 +1757,20 @@ static NOINLINE int do_tmem_get(pool_t *
|
|
ASSERT(pgp->size != -1);
|
|
if ( tmh_dedup_enabled() && !is_persistent(pool) &&
|
|
pgp->firstbyte != NOT_SHAREABLE )
|
|
- {
|
|
rc = pcd_copy_to_client(cmfn, pgp);
|
|
- if ( rc <= 0 )
|
|
- goto bad_copy;
|
|
- } else if ( pgp->size != 0 ) {
|
|
+ else if ( pgp->size != 0 )
|
|
+ {
|
|
START_CYC_COUNTER(decompress);
|
|
rc = tmh_decompress_to_client(cmfn, pgp->cdata,
|
|
pgp->size, clibuf);
|
|
- if ( rc <= 0 )
|
|
- goto bad_copy;
|
|
END_CYC_COUNTER(decompress);
|
|
- } else if ( tmh_copy_to_client(cmfn, pgp->pfp, tmem_offset,
|
|
- pfn_offset, len, clibuf) == -EFAULT)
|
|
+ }
|
|
+ else
|
|
+ rc = tmh_copy_to_client(cmfn, pgp->pfp, tmem_offset,
|
|
+ pfn_offset, len, clibuf);
|
|
+ if ( rc <= 0 )
|
|
goto bad_copy;
|
|
+
|
|
if ( is_ephemeral(pool) )
|
|
{
|
|
if ( is_private(pool) )
|
|
@@ -1811,7 +1807,6 @@ static NOINLINE int do_tmem_get(pool_t *
|
|
return 1;
|
|
|
|
bad_copy:
|
|
- /* this should only happen if the client passed a bad mfn */
|
|
failed_copies++;
|
|
return rc;
|
|
}
|
|
--- a/xen/common/tmem_xen.c
|
|
+++ b/xen/common/tmem_xen.c
|
|
@@ -153,6 +153,8 @@ EXPORT int tmh_copy_from_client(pfp_t *p
|
|
pfp_t *cli_pfp = NULL;
|
|
int rc = 1;
|
|
|
|
+ if ( tmem_offset > PAGE_SIZE || pfn_offset > PAGE_SIZE || len > PAGE_SIZE )
|
|
+ return -EINVAL;
|
|
ASSERT(pfp != NULL);
|
|
tmem_mfn = page_to_mfn(pfp);
|
|
tmem_va = map_domain_page(tmem_mfn);
|
|
@@ -183,6 +185,8 @@ EXPORT int tmh_copy_from_client(pfp_t *p
|
|
pfn_offset, len) )
|
|
rc = -EFAULT;
|
|
}
|
|
+ else if ( len )
|
|
+ rc = -EINVAL;
|
|
if ( cli_va )
|
|
cli_put_page(cmfn, cli_va, cli_pfp, cli_mfn, 0);
|
|
unmap_domain_page(tmem_va);
|
|
@@ -230,6 +234,8 @@ EXPORT int tmh_copy_to_client(tmem_cli_m
|
|
pfp_t *cli_pfp = NULL;
|
|
int rc = 1;
|
|
|
|
+ if ( tmem_offset > PAGE_SIZE || pfn_offset > PAGE_SIZE || len > PAGE_SIZE )
|
|
+ return -EINVAL;
|
|
ASSERT(pfp != NULL);
|
|
if ( guest_handle_is_null(clibuf) )
|
|
{
|
|
@@ -249,6 +255,8 @@ EXPORT int tmh_copy_to_client(tmem_cli_m
|
|
tmem_va + tmem_offset, len) )
|
|
rc = -EFAULT;
|
|
}
|
|
+ else if ( len )
|
|
+ rc = -EINVAL;
|
|
unmap_domain_page(tmem_va);
|
|
if ( cli_va )
|
|
cli_put_page(cmfn, cli_va, cli_pfp, cli_mfn, 1);
|