ia64/linux-2.6.18-xen.hg

changeset 546:3044873a84b7

Avoid theoretical TOCTTOU bug in block backend nr_segments checking.

Based on a patch by Steven Smith <steven.smith@citrix.com>

Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
author Keir Fraser <keir.fraser@citrix.com>
date Tue May 13 10:28:48 2008 +0100 (2008-05-13)
parents 29b8c3f36603
children e25f25110882
files drivers/xen/blkback/blkback.c drivers/xen/blktap/blktap.c include/xen/blkif.h
line diff
     1.1 --- a/drivers/xen/blkback/blkback.c	Tue May 13 09:32:00 2008 +0100
     1.2 +++ b/drivers/xen/blkback/blkback.c	Tue May 13 10:28:48 2008 +0100
     1.3 @@ -344,6 +344,9 @@ static int do_block_io_op(blkif_t *blkif
     1.4  		}
     1.5  		blk_rings->common.req_cons = ++rc; /* before make_response() */
     1.6  
     1.7 +		/* Apply all sanity checks to /private copy/ of request. */
     1.8 +		barrier();
     1.9 +
    1.10  		switch (req.operation) {
    1.11  		case BLKIF_OP_READ:
    1.12  			blkif->st_rd_req++;
     2.1 --- a/drivers/xen/blktap/blktap.c	Tue May 13 09:32:00 2008 +0100
     2.2 +++ b/drivers/xen/blktap/blktap.c	Tue May 13 10:28:48 2008 +0100
     2.3 @@ -1264,6 +1264,9 @@ static int do_block_io_op(blkif_t *blkif
     2.4  		}
     2.5  		blk_rings->common.req_cons = ++rc; /* before make_response() */
     2.6  
     2.7 +		/* Apply all sanity checks to /private copy/ of request. */
     2.8 +		barrier();
     2.9 +
    2.10  		switch (req.operation) {
    2.11  		case BLKIF_OP_READ:
    2.12  			blkif->st_rd_req++;
     3.1 --- a/include/xen/blkif.h	Tue May 13 09:32:00 2008 +0100
     3.2 +++ b/include/xen/blkif.h	Tue May 13 10:28:48 2008 +0100
     3.3 @@ -98,8 +98,9 @@ static void inline blkif_get_x86_32_req(
     3.4  	dst->handle = src->handle;
     3.5  	dst->id = src->id;
     3.6  	dst->sector_number = src->sector_number;
     3.7 -	if (n > src->nr_segments)
     3.8 -		n = src->nr_segments;
     3.9 +	barrier();
    3.10 +	if (n > dst->nr_segments)
    3.11 +		n = dst->nr_segments;
    3.12  	for (i = 0; i < n; i++)
    3.13  		dst->seg[i] = src->seg[i];
    3.14  }
    3.15 @@ -112,8 +113,9 @@ static void inline blkif_get_x86_64_req(
    3.16  	dst->handle = src->handle;
    3.17  	dst->id = src->id;
    3.18  	dst->sector_number = src->sector_number;
    3.19 -	if (n > src->nr_segments)
    3.20 -		n = src->nr_segments;
    3.21 +	barrier();
    3.22 +	if (n > dst->nr_segments)
    3.23 +		n = dst->nr_segments;
    3.24  	for (i = 0; i < n; i++)
    3.25  		dst->seg[i] = src->seg[i];
    3.26  }