On 30/11/2018 09:18, Jan Beulich wrote: >>>> On 29.11.18 at 20:20, <andrew.coop...@citrix.com> wrote: >> In almost all cases, Xen and libxc will agree on the featureset length, >> because they are built from the same source. >> >> However, there are circumstances (e.g. security hotfixes) where the >> featureset >> gets longer and dom0 will, after installing updates, be running with an old >> Xen but new libxc. Despite writing the code with this scenario in mind, >> there >> were some bugs. >> >> First, xen-cpuid's get_featureset() erroneously allocates a buffer based on >> Xen's featureset length, but records libxc's length, which is longer. > "... which may be longer", seeing that nr_features gets initialized from > xc_get_cpu_featureset_size()'s return value, and its subsequent > updating (through xc_get_cpu_featureset()) is only done in certain > cases.
Ah yes - very true. I'll also tweak the following sentence to start with "In this situation, the hypercall bounce ..." > >> The hypercall bounce buffer code reads/writes the recorded length, which is >> beyond the end of the allocated object, and a later free() encounters corrupt >> heap metadata. Fix this by recording the same length that we allocate. >> >> Secondly, get_cpuid_domain_info() has a related bug when the passed-in >> featureset is a different length to libxc's. >> >> A large amount of the libxc cpuid functionality depends on info->featureset >> being as long as expected, and it is allocated appropriately. However, in >> the >> case that a shorter external featureset is passed in, the logic to check for >> trailing nonzero bits may read off the end of it. Rework the logic to use >> the >> correct upper bound. >> >> In addition, leave a comment next to the fields in struct cpuid_domain_info >> explaining the relationship between the various lengths, and how to cope with >> different lengths. >> >> Signed-off-by: Andrew Cooper <andrew.coop...@citrix.com> > Reviewed-by: Jan Beulich <jbeul...@suse.com> Thanks, ~Andrew _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
