On 24/06/2024 1:28 pm, Jan Beulich wrote:
> Much like noted in 43d5c5d5f70b ("xen: avoid UB in guest handle
> arithmetic"), address calculations involved in accessing a struct field
> can overflow, too. Cast respective pointers to "unsigned long" and
> convert type checking accordingly. Remaining arithmetic is, despite
> there possibly being mathematical overflow, okay as per the C99 spec:
> "A computation involving unsigned operands can never overflow, because a
> result that cannot be represented by the resulting unsigned integer type
> is reduced modulo the number that is one greater than the largest value
> that can be represented by the resulting type." The overflow that we
> need to guard against is checked for in array_access_ok().
>
> While there add the missing (see {,__}copy_to_guest_offset()) is-not-
> const checks to {,__}copy_field_to_guest().
>
> Typically, but not always, no change to generated code; code generation
> (register allocation) is different for at least common/grant_table.c.
>
> Signed-off-by: Jan Beulich <jbeul...@suse.com>Acked-by: Andrew Cooper <andrew.coop...@citrix.com>
