Bug 433921
Summary: | xen ia64 build fails with array subscript is above array bounds | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Doug Chapman <dchapman> |
Component: | xen | Assignee: | Xen Maintainance List <xen-maint> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 9 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | ia64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-07-09 11:08:25 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 163350 |
Description
Doug Chapman
2008-02-22 04:48:32 UTC
Looks like a buffer overflow in the ia64 specific Xen userspace code. xc_ia64_map_foreign_p2m method in tools/libxc/ia64/xc_ia64_stubs.c is assigning to 6 array members: privcmd_hypercall_t hypercall; .... hypercall.op = __HYPERVISOR_ia64_dom0vp_op; hypercall.arg[0] = IA64_DOM0VP_expose_foreign_p2m; hypercall.arg[1] = (unsigned long)addr; hypercall.arg[2] = dom; hypercall.arg[3] = (unsigned long)memmap_info; hypercall.arg[4] = flags; hypercall.arg[5] = 0; But the array is declared to only have 5 members in ./tools/include/xen-sys/Linux/privcmd.h typedef struct privcmd_hypercall { __u64 op; __u64 arg[5]; } privcmd_hypercall_t; Latest xen-unstable still has this flaw. The hypervisor impl of this hypercall doesn't even seem to want args 4 & 5 case IA64_DOM0VP_expose_foreign_p2m: { XEN_GUEST_HANDLE(char) hnd; set_xen_guest_handle(hnd, (char*)arg2); ret = dom0vp_expose_foreign_p2m(d, arg0, (domid_t)arg1, hnd, arg3); break; } So, its unclear why userspace is setting them I have filed this issue upstream as well: http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1186 This has been fixed upstream. Could we get this patch pulled into fedora so this builds on ia64? http://xenbits.xensource.com/xen-unstable.hg?rev/716a637722e4 This would be very much appreciated. thanks, - Doug Changing version to '9' as part of upcoming Fedora 9 GA. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping This has been upstream for some time but still not in fedora, can we get this into fedora so this will build on ia64? Built into rawhide in xen-3.2.0-16.fc10, and commited but not built into F9 |