Bug 433921 - xen ia64 build fails with array subscript is above array bounds
xen ia64 build fails with array subscript is above array bounds
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: xen (Show other bugs)
9
ia64 Linux
high Severity high
: ---
: ---
Assigned To: Xen Maintainance List
Fedora Extras Quality Assurance
:
Depends On:
Blocks: fedora-ia64
  Show dependency treegraph
 
Reported: 2008-02-21 23:48 EST by Doug Chapman
Modified: 2008-07-09 07:08 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-09 07:08:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Doug Chapman 2008-02-21 23:48:32 EST
Description of problem:

When building the xen package on ia64 the build fails with:

ia64/xc_ia64_stubs.c: In function 'xc_ia64_p2m_map':
ia64/xc_ia64_stubs.c:95: error: array subscript is above array bounds

the full build log can be found at:
http://ia64.koji.fedoraproject.org/koji/getfile?taskID=6484&name=build.log


Version-Release number of selected component (if applicable):
xen-3.2.0-7.fc9

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Berrange 2008-02-23 11:58:37 EST
Looks like a buffer overflow in the ia64 specific Xen userspace code.

xc_ia64_map_foreign_p2m method in tools/libxc/ia64/xc_ia64_stubs.c is assigning
to 6 array members:

    privcmd_hypercall_t hypercall;
    ....

    hypercall.op = __HYPERVISOR_ia64_dom0vp_op;
    hypercall.arg[0] = IA64_DOM0VP_expose_foreign_p2m;
    hypercall.arg[1] = (unsigned long)addr;
    hypercall.arg[2] = dom;
    hypercall.arg[3] = (unsigned long)memmap_info;
    hypercall.arg[4] = flags;
    hypercall.arg[5] = 0;

But the array is declared to only have 5 members in
./tools/include/xen-sys/Linux/privcmd.h

typedef struct privcmd_hypercall
{
        __u64 op;
        __u64 arg[5];
} privcmd_hypercall_t;


Latest xen-unstable still has this flaw.

Comment 2 Daniel Berrange 2008-02-23 12:06:55 EST
The hypervisor impl of this hypercall doesn't even seem to want args 4 & 5

    case IA64_DOM0VP_expose_foreign_p2m: {
        XEN_GUEST_HANDLE(char) hnd;
        set_xen_guest_handle(hnd, (char*)arg2);
        ret = dom0vp_expose_foreign_p2m(d, arg0, (domid_t)arg1, hnd, arg3);
        break;
    }


So, its unclear why userspace is setting them
Comment 3 Doug Chapman 2008-03-05 18:13:41 EST
I have filed this issue upstream as well:

http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1186

Comment 4 Doug Chapman 2008-04-19 17:53:20 EDT
This has been fixed upstream.  Could we get this patch pulled into fedora so
this builds on ia64?

http://xenbits.xensource.com/xen-unstable.hg?rev/716a637722e4

This would be very much appreciated.

thanks,

- Doug
Comment 5 Bug Zapper 2008-05-14 01:20:06 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 6 Doug Chapman 2008-06-11 11:58:03 EDT
This has been upstream for some time but still not in fedora, can we get this
into fedora so this will build on ia64?
Comment 7 Daniel Berrange 2008-07-09 07:08:25 EDT
Built into rawhide in xen-3.2.0-16.fc10, and commited but not built into F9

Note You need to log in before you can comment on or make changes to this bug.