From 3c6881d8d00fbdea64be3b67a41b654da7c71b2d Mon Sep 17 00:00:00 2001 From: Matthew Daley Date: Tue, 13 Nov 2012 11:28:10 +0100 Subject: [PATCH] fix xenctl_cpumap_to_cpumask() buffer size check xenctl_cpumap_to_cpumask incorrectly uses sizeof when checking whether bits should be masked off from the input cpumap bitmap or not. Fix by using the correct cpumask buffer size in place of sizeof. Signed-off-by: Matthew Daley Compare against copy_bytes instead, and use equality rather than less- or-equal. Further, this issue (introduced with c/s 23991:a7ccbc79fc17) is not security relevant (i.e. the bug could not cause memory corruption): _xmalloc() never returns chunks of data smaller than the size of a pointer, i.e. even if sizeof(void*) > guest_bytes > copy_bytes, the piece of memory erroneously written to would still be inside the allocation done at the top of the function. Signed-off-by: Jan Beulich Acked-by: Keir Fraser Committed-by: Jan Beulich --- xen/common/domctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/common/domctl.c b/xen/common/domctl.c index e153cb47ae..a7a6b9f38d 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -78,7 +78,7 @@ int xenctl_cpumap_to_cpumask( { if ( copy_from_guest(bytemap, xenctl_cpumap->bitmap, copy_bytes) ) err = -EFAULT; - if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes <= sizeof(bytemap)) ) + if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes == copy_bytes) ) bytemap[guest_bytes-1] &= ~(0xff << (xenctl_cpumap->nr_cpus & 7)); } -- 2.30.2