diff options
author | Jan Beulich <jbeulich@suse.com> | 2012-09-11 14:17:59 +0200 |
---|---|---|
committer | Jan Beulich <jbeulich@suse.com> | 2012-09-11 14:17:59 +0200 |
commit | 6c777beb83875f7e0cc77ca357025608a56b3560 (patch) | |
tree | 4bc1e833ecfd384de6a067a0bcbd154d8d98fa5d /xen/common/tmem_xen.c | |
parent | 09d39e0108811d6bfe1ab7f819b951ea0b1611d7 (diff) | |
download | xen-6c777beb83875f7e0cc77ca357025608a56b3560.tar.gz xen-6c777beb83875f7e0cc77ca357025608a56b3560.tar.bz2 xen-6c777beb83875f7e0cc77ca357025608a56b3560.zip |
tmem: detect arithmetic overflow in tmh_copy_{from,to}_client()
This implies adjusting callers to deal with errors other than -EFAULT
and removing some comments which would otherwise become stale.
Reported-by: Tim Deegan <tim@xen.org>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com>
Diffstat (limited to 'xen/common/tmem_xen.c')
-rw-r--r-- | xen/common/tmem_xen.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/xen/common/tmem_xen.c b/xen/common/tmem_xen.c index f41db37e5e..78d2ede1bc 100644 --- a/xen/common/tmem_xen.c +++ b/xen/common/tmem_xen.c @@ -153,6 +153,8 @@ EXPORT int tmh_copy_from_client(pfp_t *pfp, pfp_t *cli_pfp = NULL; int rc = 1; + if ( tmem_offset > PAGE_SIZE || pfn_offset > PAGE_SIZE || len > PAGE_SIZE ) + return -EINVAL; ASSERT(pfp != NULL); tmem_mfn = page_to_mfn(pfp); tmem_va = map_domain_page(tmem_mfn); @@ -183,6 +185,8 @@ EXPORT int tmh_copy_from_client(pfp_t *pfp, pfn_offset, len) ) rc = -EFAULT; } + else if ( len ) + rc = -EINVAL; if ( cli_va ) cli_put_page(cmfn, cli_va, cli_pfp, cli_mfn, 0); unmap_domain_page(tmem_va); @@ -230,6 +234,8 @@ EXPORT int tmh_copy_to_client(tmem_cli_mfn_t cmfn, pfp_t *pfp, pfp_t *cli_pfp = NULL; int rc = 1; + if ( tmem_offset > PAGE_SIZE || pfn_offset > PAGE_SIZE || len > PAGE_SIZE ) + return -EINVAL; ASSERT(pfp != NULL); if ( guest_handle_is_null(clibuf) ) { @@ -249,6 +255,8 @@ EXPORT int tmh_copy_to_client(tmem_cli_mfn_t cmfn, pfp_t *pfp, tmem_va + tmem_offset, len) ) rc = -EFAULT; } + else if ( len ) + rc = -EINVAL; unmap_domain_page(tmem_va); if ( cli_va ) cli_put_page(cmfn, cli_va, cli_pfp, cli_mfn, 1); |