On Tue, Oct 01, 2019 at 10:57:13AM +0100, Andrew Cooper wrote:
> On 30/09/2019 14:32, Roger Pau Monne wrote:
> > diff --git a/xen/include/asm-x86/hvm/ioreq.h
> > b/xen/include/asm-x86/hvm/ioreq.h
> > index 65491c48d2..c3917aa74d 100644
> > --- a/xen/include/asm-x86/hvm/ioreq.h
> > +++ b/xen/include/asm-x86/hvm/ioreq.h
> > @@ -54,6 +54,12 @@ unsigned int hvm_broadcast_ioreq(ioreq_t *p, bool
> > buffered);
> >
> > void hvm_ioreq_init(struct domain *d);
> >
> > +static inline bool hvm_ioreq_is_internal(unsigned int id)
> > +{
> > + ASSERT(id < MAX_NR_IOREQ_SERVERS);
> > + return id >= MAX_NR_EXTERNAL_IOREQ_SERVERS;
>
> You cannot ASSERT() here. id is guest-controlled data in the dm_op() path.
Urg, right, thanks for noticing. There's no check prior to calling
hvm_ioreq_is_internal on the dm_op path.
I guess just returning true if id >= MAX_NR_EXTERNAL_IOREQ_SERVERS
would be OK, get_ioreq_server already copes with overflowing ids.
Thanks, Roger.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
