Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3699870imu; Tue, 18 Dec 2018 02:43:36 -0800 (PST) X-Google-Smtp-Source: AFSGD/XZNl2NJKph55+8obl0M6Yc9H5XjCchhVYXNJaKa1g2dXr8irAZ5jC0YbP0Xm5nI75JPaCP X-Received: by 2002:a62:d148:: with SMTP id t8mr16611270pfl.52.1545129816501; Tue, 18 Dec 2018 02:43:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1545129816; cv=none; d=google.com; s=arc-20160816; b=xNKaWpsIuCgfz/GiavPgAkcHSmRNFEqC+KINZAIaMP6aZ+iOhfG/YUly33iwelaaMC R80rDHjgXr2RcACe8hNxemePgaF5DpqB2rpuf3J10OjLpYWkRZTNjz9Au0Ode4IgNkm9 EIz6/cOYcVR/rTMsPvyRTirw407J/9QgjxPFPvOM+27KtyBoWlOSHgfiIxg1GzqTMsWp tUWPm1/xEr4KVGFB1idcyAcJDgfy4HnLWB66SyndekwjFJChcnuowb5buvbduXx6d+bl qSEa/CshvC1HyJexVe+67oH4LObi9S+cwNPVB8o+XVW4+FT5oX5Mliyo2nQA0qc+VOOl ZaHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:cc:references:to :subject; bh=uGO7P4kqytsnzqgPM8RTpg+F2xIPwdAnZ/kJpALJ1NI=; b=gAUDAW8+G7uqQcvw3Vz5I2Xn1DUP50t0l4DIsFbW4fbx48up48tiMAkLLNZzHoIwkg v3So7/mtcD5oRCjzWR75QrbmHZTHuI7ncvu122K/8UDb9+lGw1SzJ0Ajr/KGcZz8dffU 9gve3m6+5mwP9IUYIMiPU4G2Bb3hDpLR9UZey/gpBijlX4V7b/LmGk7H1Km1+qlb6zeY VCu3KFPWa/FQfGVUiagPHR6uPOilXEdEb9ZniSQ23C9THgti40gmgFlLYhAnjrSE6YMg NpGtQ57HuMJkxgtP1UXt7d47gk+OYVzumtnEDkOtYxwhR+FQoe2agusWz+5aLBq5MkUM fNFQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r29si10451140pga.477.2018.12.18.02.43.20; Tue, 18 Dec 2018 02:43:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726627AbeLRKmZ (ORCPT + 99 others); Tue, 18 Dec 2018 05:42:25 -0500 Received: from szxga06-in.huawei.com ([45.249.212.32]:59936 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726421AbeLRKmY (ORCPT ); Tue, 18 Dec 2018 05:42:24 -0500 Received: from DGGEMS402-HUB.china.huawei.com (unknown [172.30.72.59]) by Forcepoint Email with ESMTP id E38086AF3A410; Tue, 18 Dec 2018 18:42:21 +0800 (CST) Received: from [127.0.0.1] (10.177.31.96) by DGGEMS402-HUB.china.huawei.com (10.3.19.202) with Microsoft SMTP Server id 14.3.408.0; Tue, 18 Dec 2018 18:42:18 +0800 Subject: Re: [PATCH -next] x86/xen: Fix read buffer overflow To: Juergen Gross , , , , , , References: <20181218081910.18080-1-yuehaibing@huawei.com> <7825d772-338a-e39e-eaff-73e666ef5c08@suse.com> CC: , , From: YueHaibing Message-ID: <2fe8f6b7-b791-e7ea-6484-491e089321d5@huawei.com> Date: Tue, 18 Dec 2018 18:42:17 +0800 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <7825d772-338a-e39e-eaff-73e666ef5c08@suse.com> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Originating-IP: [10.177.31.96] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2018/12/18 16:31, Juergen Gross wrote: > On 18/12/2018 09:19, YueHaibing wrote: >> Fix smatch warning: >> >> arch/x86/xen/enlighten_pv.c:649 get_trap_addr() error: >> buffer overflow 'early_idt_handler_array' 32 <= 32 >> >> Fixes: 42b3a4cb5609 ("x86/xen: Support early interrupts in xen pv guests") >> Signed-off-by: YueHaibing >> --- >> arch/x86/xen/enlighten_pv.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c >> index 2f6787f..81f200d 100644 >> --- a/arch/x86/xen/enlighten_pv.c >> +++ b/arch/x86/xen/enlighten_pv.c >> @@ -646,7 +646,7 @@ static bool __ref get_trap_addr(void **addr, unsigned int ist) >> >> if (nr == ARRAY_SIZE(trap_array) && >> *addr >= (void *)early_idt_handler_array[0] && >> - *addr < (void *)early_idt_handler_array[NUM_EXCEPTION_VECTORS]) { >> + *addr < (void *)early_idt_handler_array[NUM_EXCEPTION_VECTORS - 1]) { >> nr = (*addr - (void *)early_idt_handler_array[0]) / >> EARLY_IDT_HANDLER_SIZE; >> *addr = (void *)xen_early_idt_handler_array[nr]; >> > > No, this patch is wrong. > > early_idt_handler_array is a 2-dimensional array: > > const char > early_idt_handler_array[NUM_EXCEPTION_VECTORS][EARLY_IDT_HANDLER_SIZE]; > > So above code doesn't do an out of bounds array access, but checks for > *addr being in the array or outside of it (note the "<" used for the > test). Thank you for your explanation. > > > Juergen > > . >