40 lines
1.5 KiB
Diff
40 lines
1.5 KiB
Diff
|
# HG changeset patch
|
||
|
|
# User Matthew Daley <mattjd@gmail.com>
|
||
|
|
# Date 1352802490 -3600
|
||
|
|
# Node ID 56400658f0962099988678487e525d12f869a96a
|
||
|
|
# Parent a3cde70320ada4a5424c37f65b8fe3753fc95205
|
||
|
|
fix xenctl_cpumap_to_cpumask() buffer size check
|
||
|
|
|
||
|
|
xenctl_cpumap_to_cpumask incorrectly uses sizeof when checking whether
|
||
|
|
bits should be masked off from the input cpumap bitmap or not.
|
||
|
|
|
||
|
|
Fix by using the correct cpumask buffer size in place of sizeof.
|
||
|
|
|
||
|
|
Signed-off-by: Matthew Daley <mattjd@gmail.com>
|
||
|
|
|
||
|
|
Compare against copy_bytes instead, and use equality rather than less-
|
||
|
|
or-equal.
|
||
|
|
|
||
|
|
Further, this issue (introduced with c/s 23991:a7ccbc79fc17) is not
|
||
|
|
security relevant (i.e. the bug could not cause memory corruption):
|
||
|
|
_xmalloc() never returns chunks of data smaller than the size of a
|
||
|
|
pointer, i.e. even if sizeof(void*) > guest_bytes > copy_bytes, the
|
||
|
|
piece of memory erroneously written to would still be inside the
|
||
|
|
allocation done at the top of the function.
|
||
|
|
|
||
|
|
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
||
|
|
Acked-by: Keir Fraser <keir@xen.org>
|
||
|
|
Committed-by: Jan Beulich <jbeulich@suse.com>
|
||
|
|
|
||
|
|
--- a/xen/common/domctl.c
|
||
|
|
+++ b/xen/common/domctl.c
|
||
|
|
@@ -78,7 +78,7 @@ int xenctl_cpumap_to_cpumask(
|
||
|
|
{
|
||
|
|
if ( copy_from_guest(bytemap, xenctl_cpumap->bitmap, copy_bytes) )
|
||
|
|
err = -EFAULT;
|
||
|
|
- if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes <= sizeof(bytemap)) )
|
||
|
|
+ if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes == copy_bytes) )
|
||
|
|
bytemap[guest_bytes-1] &= ~(0xff << (xenctl_cpumap->nr_cpus & 7));
|
||
|
|
}
|
||
|
|
|