> -----Original Message----- > From: George Dunlap [mailto:[email protected]] > Sent: 11 July 2018 11:34 > To: Paul Durrant <[email protected]>; [email protected] > Cc: Jan Beulich <[email protected]>; Andrew Cooper > <[email protected]>; George Dunlap > <[email protected]>; Ian Jackson <[email protected]>; Konrad > Rzeszutek Wilk <[email protected]>; Stefano Stabellini > <[email protected]>; Tim (Xen.org) <[email protected]>; Wei Liu > <[email protected]> > Subject: Re: [PATCH v2 08/13] x86: add iommu_op to query reserved ranges > > On 07/07/2018 12:05 PM, Paul Durrant wrote: > > @@ -35,17 +93,33 @@ static void iommu_op(xen_iommu_op_t *op) > > > > int do_one_iommu_op(xen_iommu_op_buf_t *buf) > > { > > - xen_iommu_op_t op; > > + xen_iommu_op_t op = {}; > > + size_t offset; > > + static const size_t op_size[] = { > > + [XEN_IOMMUOP_query_reserved] = sizeof(struct > xen_iommu_op_query_reserved), > > + }; > > + > > + offset = offsetof(struct xen_iommu_op, u); > > > > - if ( buf->size < sizeof(op) ) > > + if ( buf->size < offset ) > > return -EFAULT; > > > > - if ( copy_from_guest((void *)&op, buf->h, sizeof(op)) ) > > + if ( copy_from_guest((void *)&op, buf->h, offset) ) > > return -EFAULT; > > > > if ( op.pad ) > > return -EINVAL; > > > > + if ( op.op >= ARRAY_SIZE(op_size) ) > > + return -EOPNOTSUPP; > > + > > + if ( buf->size < offset + op_size[op.op] ) > > + return -EFAULT; > > + > > + if ( copy_from_guest_offset((void *)&op.u, buf->h, offset, > > + op_size[op.op]) ) > > + return -EFAULT; > > This looks like part of a potential SP1 gadget, so this needs to use > array_index_nospec(). >
Ok. There is similar code in dm ops too so I'll have a look while I'm at it. Paul > -George _______________________________________________ Xen-devel mailing list [email protected] https://lists.xenproject.org/mailman/listinfo/xen-devel
