Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3590915imu; Tue, 18 Dec 2018 00:33:51 -0800 (PST) X-Google-Smtp-Source: AFSGD/UGbFFNcBVA0o2mlOOZv2891i0h6Y7brVwn4jN8mfrIMrCje2pYROx8Qc/zX17XtvKQ8Dh1 X-Received: by 2002:a62:c42:: with SMTP id u63mr15462220pfi.73.1545122031190; Tue, 18 Dec 2018 00:33:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1545122031; cv=none; d=google.com; s=arc-20160816; b=BdDREmNqm0DcCKepurPNtIjGuCXH7AwgcPVZ2hkR3/RhU16yMsbpU29s3v006CqS8u CAXye4mtGXZ8x7QxOXc3tO/OiU71irpUZPWLS9srtNKMg5dXLRdNBGTVsn1Ej7ic82GY a4v3si5HVVwnOpQiVFWhkHkjhSxWNKORwzU0NMwUqlImeY2C6bIdkH580F3GR2bFGxP6 Oq/9DBlJnLeChcmap1Af9x4dj+C2s1xKbUD1LLWFkbuBvBhJhELsIIXq0VDwEwddJWwX C9toJwC24jiSWCLJcWAke6ewh/wd1ghfxf0daK7r/8Sb2Kht48POGXtb3A1vfc7wg2fv 4O/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:autocrypt:openpgp:from:references:cc:to:subject; bh=cUYNtSPJrHCe/1DoegorFq0DtEQ4wWngqjXCv2Jq+Yc=; b=YLgoBEcDP6k0PZ8tEJsAMiNiiT/rrkp4ry1q717dYPbXFYh8B1qVevz1Dv/BaZAs+P jY1Uk2qHR998Pesjj8uzRIwEX/i77GF0U2IRQ0OTFZJRXhR3rXH0Yr3nTAzdlQKYLKt9 ROHp4VLAhSIvZ7Hh7iaKpielEpv8RDzmF7JRGYuiDp3tGwQrjCrFV/8vBhBCTlRn/Cc6 seEukkvfAvP0mk9bipCJtn11cSnyfhzeTziRUKCQYflhxtyXNQsZyXoW4Z6T6dAdciRV yf8G00MR9UKGCodMf2z1yMwPOfGFtL9JzuTEuRFZ8BPGZhUlfQkt/9O9oVHwndR5QNrc fdMQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d12si11476058pln.340.2018.12.18.00.33.34; Tue, 18 Dec 2018 00:33:51 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726522AbeLRIba (ORCPT + 99 others); Tue, 18 Dec 2018 03:31:30 -0500 Received: from mx2.suse.de ([195.135.220.15]:43992 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726362AbeLRIba (ORCPT ); Tue, 18 Dec 2018 03:31:30 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id C6E56AE19; Tue, 18 Dec 2018 08:31:27 +0000 (UTC) Subject: Re: [PATCH -next] x86/xen: Fix read buffer overflow To: YueHaibing , boris.ostrovsky@oracle.com, sstabellini@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, hpa@zytor.com Cc: linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org, x86@kernel.org References: <20181218081910.18080-1-yuehaibing@huawei.com> From: Juergen Gross Openpgp: preference=signencrypt Autocrypt: addr=jgross@suse.com; prefer-encrypt=mutual; keydata= xsBNBFOMcBYBCACgGjqjoGvbEouQZw/ToiBg9W98AlM2QHV+iNHsEs7kxWhKMjrioyspZKOB ycWxw3ie3j9uvg9EOB3aN4xiTv4qbnGiTr3oJhkB1gsb6ToJQZ8uxGq2kaV2KL9650I1SJve dYm8Of8Zd621lSmoKOwlNClALZNew72NjJLEzTalU1OdT7/i1TXkH09XSSI8mEQ/ouNcMvIJ NwQpd369y9bfIhWUiVXEK7MlRgUG6MvIj6Y3Am/BBLUVbDa4+gmzDC9ezlZkTZG2t14zWPvx XP3FAp2pkW0xqG7/377qptDmrk42GlSKN4z76ELnLxussxc7I2hx18NUcbP8+uty4bMxABEB AAHNHkp1ZXJnZW4gR3Jvc3MgPGpncm9zc0BzdXNlLmRlPsLAeQQTAQIAIwUCU4xw6wIbAwcL CQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJELDendYovxMvi4UH/Ri+OXlObzqMANruTd4N zmVBAZgx1VW6jLc8JZjQuJPSsd/a+bNr3BZeLV6lu4Pf1Yl2Log129EX1KWYiFFvPbIiq5M5 kOXTO8Eas4CaScCvAZ9jCMQCgK3pFqYgirwTgfwnPtxFxO/F3ZcS8jovza5khkSKL9JGq8Nk czDTruQ/oy0WUHdUr9uwEfiD9yPFOGqp4S6cISuzBMvaAiC5YGdUGXuPZKXLpnGSjkZswUzY d9BVSitRL5ldsQCg6GhDoEAeIhUC4SQnT9SOWkoDOSFRXZ+7+WIBGLiWMd+yKDdRG5RyP/8f 3tgGiB6cyuYfPDRGsELGjUaTUq3H2xZgIPfOwE0EU4xwFgEIAMsx+gDjgzAY4H1hPVXgoLK8 B93sTQFN9oC6tsb46VpxyLPfJ3T1A6Z6MVkLoCejKTJ3K9MUsBZhxIJ0hIyvzwI6aYJsnOew cCiCN7FeKJ/oA1RSUemPGUcIJwQuZlTOiY0OcQ5PFkV5YxMUX1F/aTYXROXgTmSaw0aC1Jpo w7Ss1mg4SIP/tR88/d1+HwkJDVW1RSxC1PWzGizwRv8eauImGdpNnseneO2BNWRXTJumAWDD pYxpGSsGHXuZXTPZqOOZpsHtInFyi5KRHSFyk2Xigzvh3b9WqhbgHHHE4PUVw0I5sIQt8hJq 5nH5dPqz4ITtCL9zjiJsExHuHKN3NZsAEQEAAcLAXwQYAQIACQUCU4xwFgIbDAAKCRCw3p3W KL8TL0P4B/9YWver5uD/y/m0KScK2f3Z3mXJhME23vGBbMNlfwbr+meDMrJZ950CuWWnQ+d+ Ahe0w1X7e3wuLVODzjcReQ/v7b4JD3wwHxe+88tgB9byc0NXzlPJWBaWV01yB2/uefVKryAf AHYEd0gCRhx7eESgNBe3+YqWAQawunMlycsqKa09dBDL1PFRosF708ic9346GLHRc6Vj5SRA UTHnQqLetIOXZm3a2eQ1gpQK9MmruO86Vo93p39bS1mqnLLspVrL4rhoyhsOyh0Hd28QCzpJ wKeHTd0MAWAirmewHXWPco8p1Wg+V+5xfZzuQY0f4tQxvOpXpt4gQ1817GQ5/Ed/wsDtBBgB CAAgFiEEhRJncuj2BJSl0Jf3sN6d1ii/Ey8FAlrd8NACGwIAgQkQsN6d1ii/Ey92IAQZFggA HRYhBFMtsHpB9jjzHji4HoBcYbtP2GO+BQJa3fDQAAoJEIBcYbtP2GO+TYsA/30H/0V6cr/W V+J/FCayg6uNtm3MJLo4rE+o4sdpjjsGAQCooqffpgA+luTT13YZNV62hAnCLKXH9n3+ZAgJ RtAyDWk1B/0SMDVs1wxufMkKC3Q/1D3BYIvBlrTVKdBYXPxngcRoqV2J77lscEvkLNUGsu/z W2pf7+P3mWWlrPMJdlbax00vevyBeqtqNKjHstHatgMZ2W0CFC4hJ3YEetuRBURYPiGzuJXU pAd7a7BdsqWC4o+GTm5tnGrCyD+4gfDSpkOT53S/GNO07YkPkm/8J4OBoFfgSaCnQ1izwgJQ jIpcG2fPCI2/hxf2oqXPYbKr1v4Z1wthmoyUgGN0LPTIm+B5vdY82wI5qe9uN6UOGyTH2B3p hRQUWqCwu2sqkI3LLbTdrnyDZaixT2T0f4tyF5Lfs+Ha8xVMhIyzNb1byDI5FKCb Message-ID: <7825d772-338a-e39e-eaff-73e666ef5c08@suse.com> Date: Tue, 18 Dec 2018 09:31:26 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <20181218081910.18080-1-yuehaibing@huawei.com> Content-Type: text/plain; charset=utf-8 Content-Language: de-DE Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 18/12/2018 09:19, YueHaibing wrote: > Fix smatch warning: > > arch/x86/xen/enlighten_pv.c:649 get_trap_addr() error: > buffer overflow 'early_idt_handler_array' 32 <= 32 > > Fixes: 42b3a4cb5609 ("x86/xen: Support early interrupts in xen pv guests") > Signed-off-by: YueHaibing > --- > arch/x86/xen/enlighten_pv.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c > index 2f6787f..81f200d 100644 > --- a/arch/x86/xen/enlighten_pv.c > +++ b/arch/x86/xen/enlighten_pv.c > @@ -646,7 +646,7 @@ static bool __ref get_trap_addr(void **addr, unsigned int ist) > > if (nr == ARRAY_SIZE(trap_array) && > *addr >= (void *)early_idt_handler_array[0] && > - *addr < (void *)early_idt_handler_array[NUM_EXCEPTION_VECTORS]) { > + *addr < (void *)early_idt_handler_array[NUM_EXCEPTION_VECTORS - 1]) { > nr = (*addr - (void *)early_idt_handler_array[0]) / > EARLY_IDT_HANDLER_SIZE; > *addr = (void *)xen_early_idt_handler_array[nr]; > No, this patch is wrong. early_idt_handler_array is a 2-dimensional array: const char early_idt_handler_array[NUM_EXCEPTION_VECTORS][EARLY_IDT_HANDLER_SIZE]; So above code doesn't do an out of bounds array access, but checks for *addr being in the array or outside of it (note the "<" used for the test). Juergen