From: Roger Pau Monné Date: Thu, 27 Mar 2025 13:55:57 +0000 (+0100) Subject: x86/shadow: fix UB pointer arithmetic in sh_mfn_is_a_page_table() X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=fbb06cfa739052ee243dc875e2641343b3fc029c;p=xen.git x86/shadow: fix UB pointer arithmetic in sh_mfn_is_a_page_table() UBSAN complains with: UBSAN: Undefined behaviour in arch/x86/mm/shadow/private.h:515:30 pointer operation overflowed ffff82e000000000 to ffff82dfffffffe0 [...] Xen call trace: [] R common/ubsan/ubsan.c#ubsan_epilogue+0xa/0xc0 [] F __ubsan_handle_pointer_overflow+0xcb/0x100 [] F arch/x86/mm/shadow/guest_2.c#sh_page_fault__guest_2+0x1e350 [] F svm_vmexit_handler+0xdf3/0x2450 [] F svm_stgi_label+0x5/0x15 Fix by moving the call to mfn_to_page() after the check of whether the passed gmfn is valid. This avoid the call to mfn_to_page() with an INVALID_MFN parameter. While there make the page local variable const, it's not modified by the function. Signed-off-by: Roger Pau Monné Acked-by: Andrew Cooper master commit: 45ee73f1b24246f13cd9583cb2ee25fb9c782db8 master date: 2025-03-20 12:28:30 +0100 --- diff --git a/xen/arch/x86/mm/shadow/private.h b/xen/arch/x86/mm/shadow/private.h index a5fc3a7676..cef9dbef2e 100644 --- a/xen/arch/x86/mm/shadow/private.h +++ b/xen/arch/x86/mm/shadow/private.h @@ -512,13 +512,14 @@ static inline unsigned long __backpointer(const struct page_info *sp) static inline int sh_mfn_is_a_page_table(mfn_t gmfn) { - struct page_info *page = mfn_to_page(gmfn); + const struct page_info *page; struct domain *owner; unsigned long type_info; if ( !mfn_valid(gmfn) ) return 0; + page = mfn_to_page(gmfn); owner = page_get_owner(page); if ( owner && shadow_mode_refcounts(owner) && (page->count_info & PGC_shadowed_pt) )