>>> On 12.09.16 at 15:57, wrote:
> On 12/09/16 13:43, Jan Beulich wrote:
> On 12.09.16 at 14:29, wrote:
>>> On 12/09/16 12:41, Jan Beulich wrote:
>>> On 12.09.16 at 11:51, wrote:
> @@ -205,11 +222,9 @@ void expand_xsave_states(struct vcpu *v, void *dest,
> unsigned int size)
>
On 12/09/16 13:43, Jan Beulich wrote:
On 12.09.16 at 14:29, wrote:
>> On 12/09/16 12:41, Jan Beulich wrote:
>> On 12.09.16 at 11:51, wrote:
@@ -205,11 +222,9 @@ void expand_xsave_states(struct vcpu *v, void *dest,
unsigned int size)
if ( src )
>>> On 12.09.16 at 14:29, wrote:
> On 12/09/16 12:41, Jan Beulich wrote:
> On 12.09.16 at 11:51, wrote:
>>> @@ -205,11 +222,9 @@ void expand_xsave_states(struct vcpu *v, void *dest,
>>> unsigned int size)
>>>
>>> if ( src )
>>> {
>>> -ASSERT((xstate_offsets[in
>>> On 12.09.16 at 14:29, wrote:
> On 12/09/16 12:41, Jan Beulich wrote:
> On 12.09.16 at 11:51, wrote:
>>> @@ -205,11 +222,9 @@ void expand_xsave_states(struct vcpu *v, void *dest,
>>> unsigned int size)
>>>
>>> if ( src )
>>> {
>>> -ASSERT((xstate_offsets[in
On 12/09/16 12:41, Jan Beulich wrote:
On 12.09.16 at 11:51, wrote:
>> @@ -176,6 +187,11 @@ void expand_xsave_states(struct vcpu *v, void *dest,
>> unsigned int size)
>> u64 xstate_bv = xsave->xsave_hdr.xstate_bv;
>> u64 valid;
>>
>> +/* Check there is state to serialise (i.e.
>>> On 12.09.16 at 11:51, wrote:
> @@ -176,6 +187,11 @@ void expand_xsave_states(struct vcpu *v, void *dest,
> unsigned int size)
> u64 xstate_bv = xsave->xsave_hdr.xstate_bv;
> u64 valid;
>
> +/* Check there is state to serialise (i.e. at least an XSAVE_HDR) */
> +BUG_ON(!v->
Without checking the size input, the memcpy() for the uncompressed path might
read off the end of the vcpu's xsave_area. Both callers pass the approprite
size, so hold them to it with a BUG_ON().
The compressed path is currently dead code, but its attempt to avoid leaking
uninitalised data was in
