433921 – xen ia64 build fails with array subscript is above array bounds

Bug 433921 - xen ia64 build fails with array subscript is above array bounds

Summary: xen ia64 build fails with array subscript is above array bounds

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	xen
Sub Component:
Version:	9
Hardware:	ia64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Xen Maintainance List
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	fedora-ia64
TreeView+	depends on / blocked

Reported:	2008-02-22 04:48 UTC by Doug Chapman
Modified:	2008-07-09 11:08 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2008-07-09 11:08:25 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Doug Chapman 2008-02-22 04:48:32 UTC

Description of problem:

When building the xen package on ia64 the build fails with:

ia64/xc_ia64_stubs.c: In function 'xc_ia64_p2m_map':
ia64/xc_ia64_stubs.c:95: error: array subscript is above array bounds

the full build log can be found at:
http://ia64.koji.fedoraproject.org/koji/getfile?taskID=6484&name=build.log


Version-Release number of selected component (if applicable):
xen-3.2.0-7.fc9

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Daniel Berrangé 2008-02-23 16:58:37 UTC

Looks like a buffer overflow in the ia64 specific Xen userspace code.

xc_ia64_map_foreign_p2m method in tools/libxc/ia64/xc_ia64_stubs.c is assigning
to 6 array members:

    privcmd_hypercall_t hypercall;
    ....

    hypercall.op = __HYPERVISOR_ia64_dom0vp_op;
    hypercall.arg[0] = IA64_DOM0VP_expose_foreign_p2m;
    hypercall.arg[1] = (unsigned long)addr;
    hypercall.arg[2] = dom;
    hypercall.arg[3] = (unsigned long)memmap_info;
    hypercall.arg[4] = flags;
    hypercall.arg[5] = 0;

But the array is declared to only have 5 members in
./tools/include/xen-sys/Linux/privcmd.h

typedef struct privcmd_hypercall
{
        __u64 op;
        __u64 arg[5];
} privcmd_hypercall_t;


Latest xen-unstable still has this flaw.

Comment 2 Daniel Berrangé 2008-02-23 17:06:55 UTC

The hypervisor impl of this hypercall doesn't even seem to want args 4 & 5

    case IA64_DOM0VP_expose_foreign_p2m: {
        XEN_GUEST_HANDLE(char) hnd;
        set_xen_guest_handle(hnd, (char*)arg2);
        ret = dom0vp_expose_foreign_p2m(d, arg0, (domid_t)arg1, hnd, arg3);
        break;
    }


So, its unclear why userspace is setting them

Comment 3 Doug Chapman 2008-03-05 23:13:41 UTC

I have filed this issue upstream as well:

http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1186

Comment 4 Doug Chapman 2008-04-19 21:53:20 UTC

This has been fixed upstream.  Could we get this patch pulled into fedora so
this builds on ia64?

http://xenbits.xensource.com/xen-unstable.hg?rev/716a637722e4

This would be very much appreciated.

thanks,

- Doug

Comment 5 Bug Zapper 2008-05-14 05:20:06 UTC

Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 6 Doug Chapman 2008-06-11 15:58:03 UTC

This has been upstream for some time but still not in fedora, can we get this
into fedora so this will build on ia64?

Comment 7 Daniel Berrangé 2008-07-09 11:08:25 UTC

Built into rawhide in xen-3.2.0-16.fc10, and commited but not built into F9

Note You need to log in before you can comment on or make changes to this bug.