On Mon, 2024-07-01 at 16:36 +0100, Andrew Cooper wrote:
> On 24/06/2024 1:28 pm, Jan Beulich wrote:
> > Much like noted in 43d5c5d5f70b ("xen: avoid UB in guest handle
> > arithmetic"), address calculations involved in accessing a struct
> > field
> > can overflow, too. Cast respective pointers to "unsigned long" and
> > convert type checking accordingly. Remaining arithmetic is, despite
> > there possibly being mathematical overflow, okay as per the C99
> > spec:
> > "A computation involving unsigned operands can never overflow,
> > because a
> > result that cannot be represented by the resulting unsigned integer
> > type
> > is reduced modulo the number that is one greater than the largest
> > value
> > that can be represented by the resulting type." The overflow that
> > we
> > need to guard against is checked for in array_access_ok().
> >
> > While there add the missing (see {,__}copy_to_guest_offset()) is-
> > not-
> > const checks to {,__}copy_field_to_guest().
> >
> > Typically, but not always, no change to generated code; code
> > generation
> > (register allocation) is different for at least
> > common/grant_table.c.
> >
> > Signed-off-by: Jan Beulich <jbeul...@suse.com>
>
> Acked-by: Andrew Cooper <andrew.coop...@citrix.com>
Release-Acked-by: Oleksii Kurochko <oleksii.kuroc...@gmail.com>
~ Oleksii
