diff options
| author | Tim Deegan <tim@xen.org> | 2013-01-17 13:43:26 +0100 |
|---|---|---|
| committer | Tim Deegan <tim@xen.org> | 2013-01-17 13:43:26 +0100 |
| commit | eefac7560f9a23e9330c04fe50e1185a1739a18d (patch) | |
| tree | affeab74879b4d5c34ac2393e74db9e3d0f36cc6 | |
| parent | d4ea949bd1a13c2f93c36846ad389394ecbb8698 (diff) | |
| download | xen-eefac7560f9a23e9330c04fe50e1185a1739a18d.tar.gz xen-eefac7560f9a23e9330c04fe50e1185a1739a18d.tar.bz2 xen-eefac7560f9a23e9330c04fe50e1185a1739a18d.zip | |
x86/mm: Fix loop increment in paging_log_dirty_range()
In 23417:53ef1f35a0f8 (the fix for XSA-27 / CVE-2012-5511), the
loop variable gets incremented twice, so the loop only clears every
second page of the bitmap. This might cause the tools to think that
pages are dirty when they are not.
Reported-by: Steven Noonan <snoonan@amazon.com>
Reported-by: Matt Wilson <msw@amazon.com>
Signed-off-by: Tim Deegan <tim@xen.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Jan Beulich <jbeulich@suse.com>
| -rw-r--r-- | xen/arch/x86/mm/paging.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c index 0b6a590b46..9808257433 100644 --- a/xen/arch/x86/mm/paging.c +++ b/xen/arch/x86/mm/paging.c @@ -534,7 +534,8 @@ int paging_log_dirty_range(struct domain *d, size = ((nr + BITS_PER_LONG - 1) / BITS_PER_LONG) * sizeof (long); rv = 0; - for ( off = 0; !rv && off < size; off += sizeof zeroes ) + off = 0; + while ( !rv && off < size ) { int todo = min(size - off, (int) PAGE_SIZE); if ( copy_to_guest_offset(dirty_bitmap, off, zeroes, todo) ) |