Bug 433921

Summary: xen ia64 build fails with array subscript is above array bounds
Product: [Fedora] Fedora Reporter: Doug Chapman <dchapman>
Component: xenAssignee: Xen Maintainance List <xen-maint>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 9   
Target Milestone: ---   
Target Release: ---   
Hardware: ia64   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-09 07:08:25 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 163350    

Description Doug Chapman 2008-02-21 23:48:32 EST
Description of problem:

When building the xen package on ia64 the build fails with:

ia64/xc_ia64_stubs.c: In function 'xc_ia64_p2m_map':
ia64/xc_ia64_stubs.c:95: error: array subscript is above array bounds

the full build log can be found at:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:
Comment 1 Daniel Berrange 2008-02-23 11:58:37 EST
Looks like a buffer overflow in the ia64 specific Xen userspace code.

xc_ia64_map_foreign_p2m method in tools/libxc/ia64/xc_ia64_stubs.c is assigning
to 6 array members:

    privcmd_hypercall_t hypercall;

    hypercall.op = __HYPERVISOR_ia64_dom0vp_op;
    hypercall.arg[0] = IA64_DOM0VP_expose_foreign_p2m;
    hypercall.arg[1] = (unsigned long)addr;
    hypercall.arg[2] = dom;
    hypercall.arg[3] = (unsigned long)memmap_info;
    hypercall.arg[4] = flags;
    hypercall.arg[5] = 0;

But the array is declared to only have 5 members in

typedef struct privcmd_hypercall
        __u64 op;
        __u64 arg[5];
} privcmd_hypercall_t;

Latest xen-unstable still has this flaw.

Comment 2 Daniel Berrange 2008-02-23 12:06:55 EST
The hypervisor impl of this hypercall doesn't even seem to want args 4 & 5

    case IA64_DOM0VP_expose_foreign_p2m: {
        XEN_GUEST_HANDLE(char) hnd;
        set_xen_guest_handle(hnd, (char*)arg2);
        ret = dom0vp_expose_foreign_p2m(d, arg0, (domid_t)arg1, hnd, arg3);

So, its unclear why userspace is setting them
Comment 3 Doug Chapman 2008-03-05 18:13:41 EST
I have filed this issue upstream as well:


Comment 4 Doug Chapman 2008-04-19 17:53:20 EDT
This has been fixed upstream.  Could we get this patch pulled into fedora so
this builds on ia64?


This would be very much appreciated.


- Doug
Comment 5 Bug Zapper 2008-05-14 01:20:06 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
Comment 6 Doug Chapman 2008-06-11 11:58:03 EDT
This has been upstream for some time but still not in fedora, can we get this
into fedora so this will build on ia64?
Comment 7 Daniel Berrange 2008-07-09 07:08:25 EDT
Built into rawhide in xen-3.2.0-16.fc10, and commited but not built into F9