diff options
| author | Matthew Daley <mattjd@gmail.com> | 2012-11-14 10:40:41 +0100 |
|---|---|---|
| committer | Matthew Daley <mattjd@gmail.com> | 2012-11-14 10:40:41 +0100 |
| commit | a00d58bcee30c8f087aa9c58b2d9e10a1cb0de39 (patch) | |
| tree | 1153f6529692e077a7a022df71bf9b668fea89eb | |
| parent | 777e715cdba3e2eb96a22fb8eb10e0531852f0dc (diff) | |
| download | xen-a00d58bcee30c8f087aa9c58b2d9e10a1cb0de39.tar.gz xen-a00d58bcee30c8f087aa9c58b2d9e10a1cb0de39.tar.bz2 xen-a00d58bcee30c8f087aa9c58b2d9e10a1cb0de39.zip | |
fix xenctl_cpumap_to_cpumask() buffer size check
xenctl_cpumap_to_cpumask incorrectly uses sizeof when checking whether
bits should be masked off from the input cpumap bitmap or not.
Fix by using the correct cpumask buffer size in place of sizeof.
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Compare against copy_bytes instead, and use equality rather than less-
or-equal.
Further, this issue (introduced with c/s 23991:a7ccbc79fc17) is not
security relevant (i.e. the bug could not cause memory corruption):
_xmalloc() never returns chunks of data smaller than the size of a
pointer, i.e. even if sizeof(void*) > guest_bytes > copy_bytes, the
piece of memory erroneously written to would still be inside the
allocation done at the top of the function.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
xen-unstable changeset: 26139:56400658f096
xen-unstable date: Tue Nov 13 10:28:10 UTC 2012
| -rw-r--r-- | xen/common/domctl.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 2b1f1829da..4b4b49cdb9 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -78,7 +78,7 @@ int xenctl_cpumap_to_cpumask( { if ( copy_from_guest(bytemap, xenctl_cpumap->bitmap, copy_bytes) ) err = -EFAULT; - if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes <= sizeof(bytemap)) ) + if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes == copy_bytes) ) bytemap[guest_bytes-1] &= ~(0xff << (xenctl_cpumap->nr_cpus & 7)); } |