From patchwork Tue Jul 25 18:55:40 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Cooper <andrew.cooper3@citrix.com>
X-Patchwork-Id: 9862727
Return-Path: <xen-devel-bounces@lists.xen.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	EE833601A1 for <patchwork-xen-devel@patchwork.kernel.org>;
	Tue, 25 Jul 2017 18:57:45 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E5E642859F
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Tue, 25 Jul 2017 18:57:45 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id DAA9328639; Tue, 25 Jul 2017 18:57:45 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 675E82859F
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Tue, 25 Jul 2017 18:57:45 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1da4zi-0002Mo-Vi; Tue, 25 Jul 2017 18:55:46 +0000
Received: from mail6.bemta6.messagelabs.com ([193.109.254.103])
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <prvs=3721034a5=Andrew.Cooper3@citrix.com>)
	id 1da4zh-0002Mi-NE
	for xen-devel@lists.xen.org; Tue, 25 Jul 2017 18:55:45 +0000
Received: from [85.158.143.35] by server-3.bemta-6.messagelabs.com id
	A1/7C-03044-13497795; Tue, 25 Jul 2017 18:55:45 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrBLMWRWlGSWpSXmKPExsXitHSDva7BlPJ
	Igz8z1S2WfFzM4sDocXT3b6YAxijWzLyk/IoE1ozdvzewFyzjrGi4tJi9gXESexcjJ4eEgL/E
	opd7WUFsNgF9id0vPjGB2CIC6hKnOy6CxZkFyiX2Nl1i62Lk4BAWcJF4e5YXJMwioCrx48M8Z
	hCbV8BDYvHkicwQI+Ukzh//CWYLCahJXOu/xA5RIyhxcuYTFoiREhIHX7xgnsDIPQtJahaS1A
	JGplWMGsWpRWWpRbpGhnpJRZnpGSW5iZk5uoYGZnq5qcXFiempOYlJxXrJ+bmbGIGhwAAEOxj
	/LAs4xCjJwaQkyvtNtzxSiC8pP6UyI7E4I76oNCe1+BCjDAeHkgQv/2SgnGBRanpqRVpmDjAo
	YdISHDxKIrxTJgGleYsLEnOLM9MhUqcYdTleTfj/jUmIJS8/L1VKnJcVZIYASFFGaR7cCFiEX
	GKUlRLmZQQ6SoinILUoN7MEVf4VozgHo5Iw71WQVTyZeSVwm14BHcEEdMScGaUgR5QkIqSkGh
	h12399erykJIQhJNjnzkrbHJ93cedLr/594//u7Ol/lTMXJiwR/nLsU/tqD+1/5cFnmVwUmRb
	GWxYus6xPX82pIemkESR5rOxym/PN5PUfH+96fVXr4MeluZlxTKe8ZHfP2NKiwbvK6F3GD5b8
	5M22lr96A8sP/1CtOuxhx/Z97/5jOTnHrnxTYinOSDTUYi4qTgQAX5N4uYsCAAA=
X-Env-Sender: prvs=3721034a5=Andrew.Cooper3@citrix.com
X-Msg-Ref: server-16.tower-21.messagelabs.com!1501008943!62936231!1
X-Originating-IP: [66.165.176.63]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor:
	VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n,
	received_headers: No Received headers
X-StarScan-Received: 
X-StarScan-Version: 9.4.25; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 19822 invoked from network); 25 Jul 2017 18:55:44 -0000
Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63)
	by server-16.tower-21.messagelabs.com with RC4-SHA encrypted SMTP;
	25 Jul 2017 18:55:44 -0000
X-IronPort-AV: E=Sophos;i="5.40,412,1496102400"; d="scan'208";a="441276072"
From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xen.org>
Date: Tue, 25 Jul 2017 19:55:40 +0100
Message-ID: <1501008940-1755-1-git-send-email-andrew.cooper3@citrix.com>
X-Mailer: git-send-email 2.1.4
MIME-Version: 1.0
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
	Paul Durrant <paul.durrant@citrix.com>, Jan Beulich <JBeulich@suse.com>
Subject: [Xen-devel] [PATCH] x86/hvm: Fix boundary check in
	hvmemul_insn_fetch()
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
X-Virus-Scanned: ClamAV using ClamSMTP

c/s 0943a03037 added some extra protection for overflowing the emulation
instruction cache, but Coverity points out that boundary condition is off by
one when memcpy()'ing out of the buffer.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Paul Durrant <paul.durrant@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Paul Durrant <paul.durrant@citrix.com>
---
 xen/arch/x86/hvm/emulate.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/xen/arch/x86/hvm/emulate.c b/xen/arch/x86/hvm/emulate.c
index 495e312..52bed04 100644
--- a/xen/arch/x86/hvm/emulate.c
+++ b/xen/arch/x86/hvm/emulate.c
@@ -958,8 +958,8 @@ int hvmemul_insn_fetch(
              * Will we overflow insn_buf[]?  This shouldn't be able to happen,
              * which means something went wrong with instruction decoding...
              */
-            if ( insn_off > sizeof(hvmemul_ctxt->insn_buf) ||
-                 (insn_off + bytes) > sizeof(hvmemul_ctxt->insn_buf) )
+            if ( insn_off >= sizeof(hvmemul_ctxt->insn_buf) ||
+                 (insn_off + bytes) >= sizeof(hvmemul_ctxt->insn_buf) )
             {
                 ASSERT_UNREACHABLE();
                 return X86EMUL_UNHANDLEABLE;