Received: by 10.223.176.5 with SMTP id f5csp2464845wra; Mon, 5 Feb 2018 04:39:16 -0800 (PST) X-Google-Smtp-Source: AH8x224ncw3DHhauqBDs52ATjq8crI9AE4tSyvrHaM8MgbajP6mNC2MdJwqDUvewIxYSJZJruLQn X-Received: by 2002:a17:902:b486:: with SMTP id y6-v6mr22822446plr.70.1517834356690; Mon, 05 Feb 2018 04:39:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517834356; cv=none; d=google.com; s=arc-20160816; b=zM1a8fl/zUVvBaFcRVONhAOXm/FzXGrFRvA6Um0hKM4JOAsBTjEkyRyrCAaOkz1Jb8 CMdQ21v6oi7JX8munOjg3TJzKJmPthmrNhAeuYJvuvdFT7bciKDuUKxcSX9fEsxBb2FG e5rKl9oMRlYoo+JikjMIUBkrAQKSfHbXvY/WfOBARFu7Cck8/C0N0GyU+2+3tZ4+xObd NOe2uECjNDekce6OzyWtbLctNYZItrPtietojYOASgI/qo9VD253wVsujOb90U0m50eZ SnjzPIppA1GDrXdpjTSRyTHUF3yEKBrra/x72nQ4zPqB5n5er4qGuoNBx8qkuFLfUA4J ma2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=VDBoS06SpytAUzEYsjymaRKbAZq19pe09RQaR7E7WFA=; b=jI0/MkjivzxBnkgZGYunU70XiSOtynLM0nFnQsEE4NCv0XrqcMMFhYFpqycnaPI459 kz94BKH3UsBeLvHkbKt0BoOibVngjfiyQM9SB+kUk22iNpeJ2emKFAHPDs/N1Mc+L30E 19iExEkFSD/p3wCGXSyG1x1daDv0e3SckxTgzpn/qduD69sbBmA/C9UqO2pW8Ni83Xc2 x+dmelIS1JLzho3wSWMm80S64cPRfb4sMm5+SqfjwoKfQOtHqoSkh6szSgVFSfRMwcmq gOnn/CMsAnAMMd+iHv9bbiVHDRdJSGJNClN0sp+SW/yRkMDAMtjrgM9YCyr8TKJRG88J 54wA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=VYYgwfab; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 3-v6si6891097plv.727.2018.02.05.04.38.49; Mon, 05 Feb 2018 04:39:16 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=VYYgwfab; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752866AbeBEMhc (ORCPT + 99 others); Mon, 5 Feb 2018 07:37:32 -0500 Received: from mail-ot0-f177.google.com ([74.125.82.177]:36889 "EHLO mail-ot0-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752260AbeBEMh0 (ORCPT ); Mon, 5 Feb 2018 07:37:26 -0500 Received: by mail-ot0-f177.google.com with SMTP id e64so6878441ote.4 for ; Mon, 05 Feb 2018 04:37:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=VDBoS06SpytAUzEYsjymaRKbAZq19pe09RQaR7E7WFA=; b=VYYgwfabypu3odx1ssdja08REQ+qNBJiHpZGQXnOhStlrFd/IjI+g7Blt7lcDP5ca6 mzwVKQOIFAUBluhfEMEI/8EXQeAydYrxfPI56nOYecuMfQTpSDa3eGdXVoQue9OjTnDR khlf4BrhYntA+Olz7sSLp7U4bmHA4VnAS4ndtD0T1SCwxCmcbY2u902lG4r2Y30M/YTa C55BjLmJNdc/JVMQUkjZkgyE7ktSQa8CaSgB5uA5YaV+FLuK1AOqTgdf+16lvMsIZdVM BM7SOyZVFcBq+cFTGI+TeVzIJgL9OMhThBfiKL5sO8SPOvuNGTBFGrf8E6eHh2b6knhS 0kWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=VDBoS06SpytAUzEYsjymaRKbAZq19pe09RQaR7E7WFA=; b=CKAOVRpJNy45rvyAhf0Vnb+NVbTSdxDZ/REAatoWp3kcw2LzjbdYKdO04RWYGX7fLx W7UVBDmRll+RsFGSuK1JjZSWnmVXLAgCUj/guwL9qP0vCtNtt0C0xX8jpmgybfGlnHYc +N2UsvQOdFGpa3mY0oCJoVsx+hESqsXWaJZjsK4N2hONnUgX/in0gVkvjc9oVWEODYcG 6UjEl82dCZdVxYwQvMFjjhuZhpkq4DfoWq70oNPXIGl3lEtzPhzRhBdpUhnW0ZOFARC5 8YQysJYjwk9NXtLeIULoyMH0rCkz+2vIMmXS6U0fmdPEPiGyt4UhFP7JHSAYuoVZDBZp ancQ== X-Gm-Message-State: AKwxytd5/K0pW0sAaKcmIu6ZLid3mXDVxTcr91N3zFvVB114cHScvLRK /Y59RwPFn0dxJ8EK0wDXsVn72gWt2QYXv2Ub3AA= X-Received: by 10.157.65.176 with SMTP id p45mr21524515ote.38.1517834245855; Mon, 05 Feb 2018 04:37:25 -0800 (PST) MIME-Version: 1.0 Received: by 10.157.68.33 with HTTP; Mon, 5 Feb 2018 04:37:25 -0800 (PST) In-Reply-To: <1eddce614f604c518b9bf238a2f92e4b@AcuMS.aculab.com> References: <20180202153240.1190361-1-arnd@arndb.de> <1eddce614f604c518b9bf238a2f92e4b@AcuMS.aculab.com> From: Arnd Bergmann Date: Mon, 5 Feb 2018 13:37:25 +0100 X-Google-Sender-Auth: v95zlyGO3j8U8VrM8RPl5dd2VUo Message-ID: Subject: Re: [PATCH] xen: hypercall: fix out-of-bounds memcpy To: David Laight Cc: Boris Ostrovsky , Juergen Gross , Nicolas Pitre , Andi Kleen , Dan Carpenter , Jan Beulich , "xen-devel@lists.xenproject.org" , "linux-kernel@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 5, 2018 at 1:11 PM, David Laight wrote: > From: Boris Ostrovsky >> Sent: 02 February 2018 23:34 > ... >> > switch (cmd) { >> > + case EVTCHNOP_bind_interdomain: >> > + len = sizeof(struct evtchn_bind_interdomain); >> > + break; >> > + case EVTCHNOP_bind_virq: >> > + len = sizeof(struct evtchn_bind_virq); >> > + break; >> > + case EVTCHNOP_bind_pirq: >> > + len = sizeof(struct evtchn_bind_pirq); >> > + break; >> > case EVTCHNOP_close: >> > + len = sizeof(struct evtchn_close); >> > + break; >> > case EVTCHNOP_send: >> > + len = sizeof(struct evtchn_send); >> > + break; >> > + case EVTCHNOP_alloc_unbound: >> > + len = sizeof(struct evtchn_alloc_unbound); >> > + break; >> > + case EVTCHNOP_bind_ipi: >> > + len = sizeof(struct evtchn_bind_ipi); >> > + break; >> > + case EVTCHNOP_status: >> > + len = sizeof(struct evtchn_status); >> > + break; >> > case EVTCHNOP_bind_vcpu: >> > + len = sizeof(struct evtchn_bind_vcpu); >> > + break; >> > case EVTCHNOP_unmask: >> > - /* no output */ >> > + len = sizeof(struct evtchn_unmask); >> > break; > > Are the EVTCHNOP_xxx values dense? > In which case an array is almost certainly better than the switch statement. They are, yes. PHYSDEVOP_xxx are also consecutive by start at '4'. Dan made the same comment earlier, and I replied that my I had considered it but went for the more failsafe route. I also verified my assumption now that gcc in fact is smart enough to turn this into a table by itself: xen_physdev_op_compat: pushq %r13 # leal -4(%rdi), %eax #, _2 pushq %r12 # pushq %rbp # pushq %rbx # subq $24, %rsp #, # /git/arm-soc/drivers/xen/fallback.c:59: struct physdev_op op = { .cmd = cmd, }; movq $0, 4(%rsp) #, MEM[(struct physdev_op *)&op + 4B] movq $0, 12(%rsp) #, MEM[(struct physdev_op *)&op + 4B] movl $0, 20(%rsp) #, MEM[(struct physdev_op *)&op + 4B] movl %edi, (%rsp) # cmd, op.cmd cmpl $6, %eax #, _2 ja .L8 #, movl %eax, %edi # _2, _2 # /git/arm-soc/drivers/xen/fallback.c:87: memcpy(&op.u, arg, len); leaq 8(%rsp), %r12 #, tmp98 movq %rsi, %rbx # arg, arg movq CSWTCH.17(,%rdi,8), %r13 # CSWTCH.17, _5 movq %r12, %rdi # tmp98, movq %r13, %rdx # _5, call __memcpy # # /git/arm-soc/drivers/xen/fallback.c:88: rc = _hypercall1(int, physdev_op_compat, &op); movq %rsp, %rdi #, __arg1 #APP # 88 "/git/arm-soc/drivers/xen/fallback.c" 1 call hypercall_page+608 # Arnd