On Wed, Feb 05, 2020 at 02:17:02PM +0100, Jan Beulich wrote: > Checking the result of a multiplication against a certain limit has no > sufficient implication on the original value's range. In the case here > it is in particular problematic that while handling the domctl we do > > if ( copy_from_guest(info->vdistance, uinfo->vdistance, > nr_vnodes * nr_vnodes) ) > goto vnuma_fail; > > which means copying sizeof(unsigned int) * (nr_vnodes * nr_vnodes) > bytes, and the handling of XENMEM_get_vnumainfo similarly has > > tmp.vdistance = xmalloc_array(unsigned int, dom_vnodes * dom_vnodes); > > which means allocating sizeof(unsigned int) * (dom_vnodes * dom_vnodes) > bytes, whereas in then goes on doing this: > > memcpy(tmp.vdistance, d->vnuma->vdistance, > sizeof(*d->vnuma->vdistance) * dom_vnodes * dom_vnodes); > > Note the lack of parentheses in the multiplication expression. > > Adjust the overflow check, moving the must-not-be-zero one right next to > it to avoid questions on whether there might be division by zero. > > Signed-off-by: Jan Beulich <jbeul...@suse.com>
Reviewed-by: Wei Liu <w...@xen.org> _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
