Bug 433921

Summary: xen ia64 build fails with array subscript is above array bounds
Product: [Fedora] Fedora Reporter: Doug Chapman <dchapman>
Component: xenAssignee: Xen Maintainance List <xen-maint>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 9   
Target Milestone: ---   
Target Release: ---   
Hardware: ia64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-09 11:08:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 163350    

Description Doug Chapman 2008-02-22 04:48:32 UTC 
Description of problem:

When building the xen package on ia64 the build fails with:

ia64/xc_ia64_stubs.c: In function 'xc_ia64_p2m_map':
ia64/xc_ia64_stubs.c:95: error: array subscript is above array bounds

the full build log can be found at:
http://ia64.koji.fedoraproject.org/koji/getfile?taskID=6484&name=build.log


Version-Release number of selected component (if applicable):
xen-3.2.0-7.fc9

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Berrangé 2008-02-23 16:58:37 UTC 
Looks like a buffer overflow in the ia64 specific Xen userspace code.

xc_ia64_map_foreign_p2m method in tools/libxc/ia64/xc_ia64_stubs.c is assigning
to 6 array members:

    privcmd_hypercall_t hypercall;
    ....

    hypercall.op = __HYPERVISOR_ia64_dom0vp_op;
    hypercall.arg[0] = IA64_DOM0VP_expose_foreign_p2m;
    hypercall.arg[1] = (unsigned long)addr;
    hypercall.arg[2] = dom;
    hypercall.arg[3] = (unsigned long)memmap_info;
    hypercall.arg[4] = flags;
    hypercall.arg[5] = 0;

But the array is declared to only have 5 members in
./tools/include/xen-sys/Linux/privcmd.h

typedef struct privcmd_hypercall
{
        __u64 op;
        __u64 arg[5];
} privcmd_hypercall_t;


Latest xen-unstable still has this flaw.
Comment 2 Daniel Berrangé 2008-02-23 17:06:55 UTC 
The hypervisor impl of this hypercall doesn't even seem to want args 4 & 5

    case IA64_DOM0VP_expose_foreign_p2m: {
        XEN_GUEST_HANDLE(char) hnd;
        set_xen_guest_handle(hnd, (char*)arg2);
        ret = dom0vp_expose_foreign_p2m(d, arg0, (domid_t)arg1, hnd, arg3);
        break;
    }


So, its unclear why userspace is setting them
Comment 3 Doug Chapman 2008-03-05 23:13:41 UTC 
I have filed this issue upstream as well:

http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1186
Comment 4 Doug Chapman 2008-04-19 21:53:20 UTC 
This has been fixed upstream.  Could we get this patch pulled into fedora so
this builds on ia64?

http://xenbits.xensource.com/xen-unstable.hg?rev/716a637722e4

This would be very much appreciated.

thanks,

- Doug
Comment 5 Bug Zapper 2008-05-14 05:20:06 UTC 
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 6 Doug Chapman 2008-06-11 15:58:03 UTC 
This has been upstream for some time but still not in fedora, can we get this
into fedora so this will build on ia64?
Comment 7 Daniel Berrangé 2008-07-09 11:08:25 UTC 
Built into rawhide in xen-3.2.0-16.fc10, and commited but not built into F9