bitkeeper revision 1.1159.113.5 (4173ddb2BchxLpqw2qoKi9rPhxXElA)

added error checking for copying dirty bitmap in PEEK and CLEAN shadow ops

diff --git a/BitKeeper/etc/logging_ok b/BitKeeper/etc/logging_ok
index 65cb94b67bacfba6c47e69e8f4a82534a00d2e21..c3c6bd3ef7ba321790d904a79d37a2191071e77d 100644 (file)
--- a/BitKeeper/etc/logging_ok
+++ b/BitKeeper/etc/logging_ok
@@ -11,6 +11,7 @@ br260@labyrinth.cl.cam.ac.uk
 br260@laudney.cl.cam.ac.uk
 cl349@freefall.cl.cam.ac.uk
 cl349@labyrinth.cl.cam.ac.uk
+cwc22@centipede.cl.cam.ac.uk
 djm@kirby.fc.hp.com
 gm281@boulderdash.cl.cam.ac.uk
 gm281@tetrapod.cl.cam.ac.uk

diff --git a/xen/arch/x86/shadow.c b/xen/arch/x86/shadow.c
index 545eff74cb77ce4ec5533acdc8afc65eeb5a2adb..4c0512ade8fcfb1d5fedb9bcc6851977a87a4378 100644 (file)
--- a/xen/arch/x86/shadow.c
+++ b/xen/arch/x86/shadow.c
@@ -295,11 +295,20 @@ static int shadow_mode_table_op(
             int bytes = ((((d->max_pages - i) > chunk) ?
                           chunk : (d->max_pages - i)) + 7) / 8;
      
-            copy_to_user(
-                sc->dirty_bitmap + (i/(8*sizeof(unsigned long))),
-                m->shadow_dirty_bitmap +(i/(8*sizeof(unsigned long))),
-                bytes);
-     
+            if (copy_to_user(
+                    sc->dirty_bitmap + (i/(8*sizeof(unsigned long))),
+                    m->shadow_dirty_bitmap +(i/(8*sizeof(unsigned long))),
+                    bytes))
+            {
+                // copy_to_user can fail when copying to guest app memory.
+                // app should zero buffer after mallocing, and pin it
+                rc = -EINVAL;
+                memset(
+                    m->shadow_dirty_bitmap + (i/(8*sizeof(unsigned long))),
+                    0, (d->max_pages/8) - (i/(8*sizeof(unsigned long))));
+                break;
+            }
+
             memset(
                 m->shadow_dirty_bitmap + (i/(8*sizeof(unsigned long))),
                 0, bytes);
@@ -322,8 +331,12 @@ static int shadow_mode_table_op(
         }
  
         sc->pages = d->max_pages;
-        copy_to_user(
-            sc->dirty_bitmap, m->shadow_dirty_bitmap, (d->max_pages+7)/8);
+        if (copy_to_user(
+            sc->dirty_bitmap, m->shadow_dirty_bitmap, (d->max_pages+7)/8))
+        {
+            rc = -EINVAL;
+            break;
+        }
 
         break;