xenbits.xensource.com Git - xen.git/commit

author	Roger Pau Monné <roger.pau@citrix.com>
	Thu, 27 Mar 2025 14:23:46 +0000 (15:23 +0100)
committer	Jan Beulich <jbeulich@suse.com>
	Thu, 27 Mar 2025 14:23:46 +0000 (15:23 +0100)
commit	1a2b76c9bc909021698f959059dc074710ecaf0b
tree	6d80fd5cc5e7e6e7aea9d1f77973de3c8600bdb8	tree
parent	069721d639d24457d44ec16cd90c59f41ebf092d	commit \| diff

x86/xlat: fix UB pointer arithmetic in COMPAT_ARG_XLAT_VIRT_BASE

UBSAN complains with:

UBSAN: Undefined behaviour in common/compat/memory.c:90:9
pointer operation overflowed ffff820080000000 to 0000020080000000
[...]
Xen call trace:
    [<ffff82d040303782>] R common/ubsan/ubsan.c#ubsan_epilogue+0xa/0xc0
    [<ffff82d040304bc3>] F __ubsan_handle_pointer_overflow+0xcb/0x100
    [<ffff82d0402a6259>] F compat_memory_op+0xf1/0x4d20
    [<ffff82d04041532d>] F hvm_memory_op+0x55/0xe0
    [<ffff82d040416150>] F hvm_hypercall+0xae8/0x21b0
    [<ffff82d0403b24ca>] F svm_vmexit_handler+0x1252/0x2450
    [<ffff82d0402049c0>] F svm_stgi_label+0x5/0x15

Adjust the calculations in COMPAT_ARG_XLAT_VIRT_BASE to subtract from the
per-domain area to obtain the mirrored linear address in the 4th slot,
instead of overflowing the per-domain linear address.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
master commit: fc302866f42f552337ae7d8d78877aec36e6e2ff
master date: 2025-03-20 12:28:30 +0100