On 16.04.2020 13:24, Julien Grall wrote:
> From: Julien Grall <jgr...@amazon.com>
>
> At the moment, *copy_to_guest_offset() will allow the hypervisor to copy
> data to guest handle marked const.
>
> Thankfully, no users of the helper will do that. Rather than hoping this
> can be caught during review, harden copy_to_guest_offset() so the build
> will fail if such users are introduced.
>
> There is no easy way to check whether a const is NULL in C99. The
> approach used is to introduce an unused variable that is non-const and
> assign the handle. If the handle were const, this would fail at build
> because without an explicit cast, it is not possible to assign a const
> variable to a non-const variable.
>
> Suggested-by: Jan Beulich <jbeul...@suse.com>
> Signed-off-by: Julien Grall <jgr...@amazon.com>
Reviewed-by: Jan Beulich <jbeul...@suse.com>
with one further remark:
> --- a/xen/include/asm-x86/guest_access.h
> +++ b/xen/include/asm-x86/guest_access.h
> @@ -87,6 +87,8 @@
> #define copy_to_guest_offset(hnd, off, ptr, nr) ({ \
> const typeof(*(ptr)) *_s = (ptr); \
> char (*_d)[sizeof(*_s)] = (void *)(hnd).p; \
> + /* Check if the handle is not const */ \
> + void *__maybe_unused _t = (hnd).p; \
Not being a native speaker, to me "if" doesn't look appropriate
here. I'd use "that" instead, but you may want to confirm this.
Overall then maybe "Check that the handle is not for a const type"?
Jan
