From patchwork Tue Apr 26 10:23:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Beulich X-Patchwork-Id: 12826831 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 428C4C433F5 for ; Tue, 26 Apr 2022 10:23:41 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.313695.531380 (Exim 4.92) (envelope-from ) id 1njILx-0007ZG-L0; Tue, 26 Apr 2022 10:23:29 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 313695.531380; Tue, 26 Apr 2022 10:23:29 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1njILx-0007Z9-I0; Tue, 26 Apr 2022 10:23:29 +0000 Received: by outflank-mailman (input) for mailman id 313695; Tue, 26 Apr 2022 10:23:28 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1njILw-0006S6-F0 for xen-devel@lists.xenproject.org; Tue, 26 Apr 2022 10:23:28 +0000 Received: from de-smtp-delivery-102.mimecast.com (de-smtp-delivery-102.mimecast.com [194.104.111.102]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id e952a98c-c54a-11ec-a405-831a346695d4; Tue, 26 Apr 2022 12:23:27 +0200 (CEST) Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-ve1eur03lp2054.outbound.protection.outlook.com [104.47.9.54]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id de-mta-4-ipV6PnBsNTyxy3yjjMQcPw-1; Tue, 26 Apr 2022 12:23:24 +0200 Received: from DU2PR04MB8616.eurprd04.prod.outlook.com (2603:10a6:10:2db::16) by AM7PR04MB7157.eurprd04.prod.outlook.com (2603:10a6:20b:118::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5186.21; Tue, 26 Apr 2022 10:23:23 +0000 Received: from DU2PR04MB8616.eurprd04.prod.outlook.com ([fe80::5cb0:5195:4203:7c2f]) by DU2PR04MB8616.eurprd04.prod.outlook.com ([fe80::5cb0:5195:4203:7c2f%9]) with mapi id 15.20.5186.021; Tue, 26 Apr 2022 10:23:22 +0000 X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: e952a98c-c54a-11ec-a405-831a346695d4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=mimecast20200619; t=1650968607; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Poou7+ywHc4+47fsnUn586v0ma66GxF2Bm5uaMw2apo=; b=TqtgYcwvRS73UvUcPWSnbV36c/aHhPnGFPgV0BifDy7twyWu4K2hdcfPQ3CyUWtFr5Qo7+ 5LJioFxhF5NC9IbiJG/1ey7CYIsCvmLlEEUzNTM31bAkNbQKz33a/DvhxEvHUoAJzgnsUS VvlYoNivBO5Rc65PFt4Nd7rVl2riz/E= X-MC-Unique: ipV6PnBsNTyxy3yjjMQcPw-1 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Lqkb4fOqLW6z91GNCzD+oIYyhISDu9h7dgaadXi5FqpuISqLwzNqFwwqxVc3qRPNZ7t7qknWslMCnvHqxZVdwfWUJTowN/0BATaBFnUFDrUqUufgHLJdBH6RumldcDERrMPfnFbkOBXnzRGow9RyKv0OYDvoiMfE1vih/6JhSgX16WicLpFZAXGgSJUlAHfJHVwAUqhjXlhZs6eAhbirTuqf3HMapKBlO3V3JRyN7L52yTIJq1aRXeTkQOJhp5ES8Q9AaGr2lnXlt9KI9IBb9Bc2lqMzLhHmuIkY821WbQMpCIzvJA1fPuZhxoL3jTvWSDAlHCL0hA9R7nrUBZW4Pw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Poou7+ywHc4+47fsnUn586v0ma66GxF2Bm5uaMw2apo=; b=OafK9F/udmJjYocg0DJ1QQvIMYy+x4Y00+tCEMUII2OvuZKqLgqFZnqX7PyDyz4cEaO2Fs1XoWvK3n9zReJAlrSDzljO+jycBH1FB+ZkWvD8SB+G82KpnQHL7WnyoGRO0zNcMMVb3T1bfaNM610vY6r42+cSbUfF52qChtVKz5gc/ynBi7OrKUIqX8ivH8yqa3Ue+KEmbvVRmNtGd83/qt4aFn/riSNHkbAQhZrlhcjZU2WvVKS8Zame27hlS8yxSocBPrP6vfgzvzibPg9VkHWlsXKqSxzt96OFsab9Obc+uCabCj9uWk4nkdMZWNy4RfrrOM5+8nl/ETADR0F+Kw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com; Message-ID: <53a64a0c-6286-01e5-7eab-1de1543a9241@suse.com> Date: Tue, 26 Apr 2022 12:23:21 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.8.1 Subject: [PATCH v3 3/8] libxenguest: guard against overflow from too large p2m when checkpointing Content-Language: en-US From: Jan Beulich To: "xen-devel@lists.xenproject.org" Cc: Andrew Cooper , Wei Liu , Juergen Gross , George Dunlap , Anthony Perard References: In-Reply-To: X-ClientProxiedBy: AM6P191CA0030.EURP191.PROD.OUTLOOK.COM (2603:10a6:209:8b::43) To DU2PR04MB8616.eurprd04.prod.outlook.com (2603:10a6:10:2db::16) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: e8779b6c-4163-424f-eeae-08da276ecac7 X-MS-TrafficTypeDiagnostic: AM7PR04MB7157:EE_ X-LD-Processed: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba,ExtFwd X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 2iDo67v2IT0AFej4WUcufwEnd1j90FvqjDMtwKPsfiN4WWbk11eEpVZI8DW4OrlnVmd0xP/4oyOhba0xc1iE1dIMJbvEigeRHmDE22LDS16lc+iZUUMujzUV1M5S654mLWWVq/790AVVKFwv9DxVUr+Cbu7l7961Im8wx1h83hkrVCGXxkYB+hZKZ1XRlMnF7oJm0NEk82p+CcRqFcer68GJWvH7bTHjYRAJBvL6MfTtfHxcX9nxEUAf7091q+zLKktsX/MYxFutsvc7ZmGiu+lA/Le0JaKKmK+aL6IBwOUAtXEruOeBRgdujplzmN21YUWtmzJSFqT8/KcDj+qK5/G9LYBuuj8VodxMNelYFERIF/Ri6qZlsmde7vLM2isUaZ+htdbNqEtiUhIoUVEdLhnlHDsvE9NpcU7E6WDquv3aQD2hZKfnS7N+DmnbtPG5QjkWK5Bw5bL57GMG/hRDv1oqK7nnU44u+7vQ6byeBbZZbu8xpaevgHmVJ3IP7wSQWW4yV3fiZrP9CGb4HLSItM2ugtwOcFInHbtpYK3/U84tLcLaT8A6yjhTdZPAjuwobPctvJQOqSCdoiADky9HPlJGclcCHb8WGThJ2rdNh820BrhyorZFIlXMr6xxjROreaBsblI++RmzU+uoNa4lYGl6DTZXHsooopInG6u0vuzFsUq0jXfCF8lAzcoqBv2DzWZ1BMIRxEObKyTCQPwaut/GrRybbc/GTluEDjQQpoVFor86JjXyzo6NUYU6WL/M X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU2PR04MB8616.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(2906002)(66946007)(508600001)(316002)(6916009)(8676002)(4326008)(31686004)(5660300002)(8936002)(38100700002)(6506007)(86362001)(31696002)(66476007)(66556008)(6486002)(6512007)(186003)(26005)(36756003)(83380400001)(2616005)(54906003)(43740500002)(45980500001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?gPEqp9dUIgzNiVmw7zUwHAU3xXnR?= =?utf-8?q?BGtKm0edDjv8Od8t07qV7DlyiCYC+1mN61YxOzLlx2BtNIlgEumfOKjzwfeCxJpkq?= =?utf-8?q?UYw3SiDqRWAh0NC5o0XFaL8XQNXB1AI2UCNvAHsvESyQIbiMLuCspMT1vgf5l8i1r?= =?utf-8?q?wIrE9WIJlDGGdVahNjbCQDHdTeziBe1HdIo0h24AxoVFtEu5nvF4jLLDqu4lX1+eZ?= =?utf-8?q?1QtMWx46HA2xzmriKP8p19EeR+dMkWEFaLzY4o3/MD0W6zx2syNyKR57HFCdOMO4i?= =?utf-8?q?mWRv8tArZ6nDxkNmeloo0s9RnWx6fs3/Pt3aWc3O02e818jdhDCqYCAd8kg+gy4GP?= =?utf-8?q?2T6YaZTNF+WZXz2WR9oU7CSRp/Iz6OHSdSBh6eqO6Rx0gM+cT+dfyVecvpK5/9WNk?= =?utf-8?q?jkNpha4JH/5ZZJwSInP6A23+pISILWLOL42ZD82cUk17XHdIMBpaeUIw/Ks8RhWGg?= =?utf-8?q?0XOm41p/K+nVqrBMznrcdC2YE5jZRZP62vEgzu/MXnUjQYOEG53i+QornfUE4i1Mr?= =?utf-8?q?R6VkfFgPmy8VTz/DGaIiQVd3ycbiEalqk0yDDsgu+1km7VWFMeae1tv9ESQ6FaDin?= =?utf-8?q?Q7nHK+GK3KkCI2Ll68epNGIE0RXrK+xfIUujoqcev7N9GyRGj+5U9wZKhczSvR/1J?= =?utf-8?q?s4rX6fiav6G4ZEnnbWpLE5hKVC92PevEFnXKE/GlEjjHGT41TBGymeDDqX+8SbL2O?= =?utf-8?q?/tG/X10gQA5BokDjd2ZxNf4dpP6dCB6g1NYTiVygVEfverQBAHjMn2eXtxDA5b/8X?= =?utf-8?q?XzHMRUY67LEd3yJoHLVM5ZbnfwyozRxKLjXS1RX8VorR8JXEKT0KyyxF9ts8LT9FD?= =?utf-8?q?KA7S9uhGkheyIVZDcvwyYJd8QSK5ei6VYDlqPwffvX1RuWQu6Z0oUj41l9cNqEeJQ?= =?utf-8?q?8kHJQivux1CP5wN6SgnqCw5KDVzmlOlzuCg73RY3ONV7TmCRByMM1/wnX36cbOUGd?= =?utf-8?q?Mydw3h2+T5b9W/3P5TaXD2v2mfK1n37ysuyX7Fup22gN7UmtPMJhpRHjimQh/Uzs9?= =?utf-8?q?NPfTxioFZI3xE4ZLdiHjlqTMZ5fl/tUqOUfTYxbiBXUG/9rSoS9xkC4QVsQ31J+DZ?= =?utf-8?q?DXffrcFoUfEimmNSyGf6jz/q7Qzo5Suate/OV2eKBBH1M0xO3qfbQkUmcz22Ybq4H?= =?utf-8?q?abVdpmxwmbdfONOnLjkxRbSgzC8VjwCo1KUTtK8egMUHH3StiOoFLXPd+SMzvpURL?= =?utf-8?q?qy/RsYYrsmGINJEAdtZ94mMTv2jn8Gi1pXnof/NHxhxgoN84AaBC9vxOKflgJ/QWw?= =?utf-8?q?RcMQ5UTKa6tZsqYMc+XSdVfhqeOECXsZ/NUZPRHsif6+Rm/8Ih6xZNUU8uiPRwMZM?= =?utf-8?q?2CZ+6qnPsqaPEZkpPsJDITXoyiTxgwUqNSmexSdJ+KS4EQmb/RT4BI13ZYtb2bvCo?= =?utf-8?q?igO/rdUTR2ZePPPa0hc26F7v3TWYgH1ac9jyNcCMus4aFV1jKidnhOn401XQLnHUM?= =?utf-8?q?rvaToXA+GFLE6tDSewntbCMMBKQXBZ2PHbRTmTR3iv1vXSagkBECvL7L0z2nlfaop?= =?utf-8?q?smsHxKapBvuSNfXi65ofP6nBgz1bvR9/TJDhpMgfFehvKXrA2l3NXhyPH68qBrhbw?= =?utf-8?q?0znlLKtpT6lqRNCyctjFIHZnqlBm+u0yIz1QnbQ+MEskUZiO1Xc6Aq8IvtfPog+dm?= =?utf-8?q?rN+5B9gdFN8Ptm4gD5fjtxR0Ocnale0A=3D=3D?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: e8779b6c-4163-424f-eeae-08da276ecac7 X-MS-Exchange-CrossTenant-AuthSource: DU2PR04MB8616.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Apr 2022 10:23:22.9270 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: YFzjwZRNhgVTL184s5Lrk72Zyjz+NI+Ea3fjUTe+UATCcnmHkyUQr9AKcTLuNdxUhjArOeLBjqvzv9XtS5E4Ew== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR04MB7157 struct xc_sr_record's length field has just 32 bits. Fill it early and check that the calculated value hasn't overflowed. Additionally check for counter overflow early - there's no point even trying to allocate any memory in such an event. While there also limit an induction variable's type to unsigned long: There's no gain from it being uint64_t. Signed-off-by: Jan Beulich --- Of course looping over test_bit() is pretty inefficient, but given that I have no idea how to test this code I wanted to restrict changes to what can sensibly be seen as no worse than before from just looking at the changes. --- a/tools/libs/guest/xg_sr_restore.c +++ b/tools/libs/guest/xg_sr_restore.c @@ -424,7 +424,8 @@ static int send_checkpoint_dirty_pfn_lis xc_interface *xch = ctx->xch; int rc = -1; unsigned int count, written; - uint64_t i, *pfns = NULL; + unsigned long i; + uint64_t *pfns = NULL; struct iovec *iov = NULL; xc_shadow_op_stats_t stats = { 0, ctx->restore.p2m_size }; struct xc_sr_record rec = { @@ -444,16 +445,28 @@ static int send_checkpoint_dirty_pfn_lis for ( i = 0, count = 0; i < ctx->restore.p2m_size; i++ ) { - if ( test_bit(i, dirty_bitmap) ) - count++; + if ( test_bit(i, dirty_bitmap) && !++count ) + break; } + if ( i < ctx->restore.p2m_size ) + { + ERROR("Too many dirty pfns"); + goto err; + } + + rec.length = count * sizeof(*pfns); + if ( rec.length / sizeof(*pfns) != count ) + { + ERROR("Too many (%u) dirty pfns", count); + goto err; + } - pfns = malloc(count * sizeof(*pfns)); + pfns = malloc(rec.length); if ( !pfns ) { - ERROR("Unable to allocate %zu bytes of memory for dirty pfn list", - count * sizeof(*pfns)); + ERROR("Unable to allocate %u bytes of memory for dirty pfn list", + rec.length); goto err; } @@ -479,8 +492,6 @@ static int send_checkpoint_dirty_pfn_lis goto err; } - rec.length = count * sizeof(*pfns); - iov[0].iov_base = &rec.type; iov[0].iov_len = sizeof(rec.type); @@ -488,7 +499,7 @@ static int send_checkpoint_dirty_pfn_lis iov[1].iov_len = sizeof(rec.length); iov[2].iov_base = pfns; - iov[2].iov_len = count * sizeof(*pfns); + iov[2].iov_len = rec.length; if ( writev_exact(ctx->restore.send_back_fd, iov, 3) ) {