Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy

From: Jan Beulich
Date: Mon Feb 05 2018 - 10:14:50 EST


>>> On 05.02.18 at 16:03, <arnd@xxxxxxxx> wrote:
> int xen_event_channel_op_compat(int cmd, void *arg)
> {
> - struct evtchn_op op;
> + struct evtchn_op op = { .cmd = cmd, };
> + size_t len;
> int rc;
>
> - op.cmd = cmd;
> - memcpy(&op.u, arg, sizeof(op.u));
> - rc = _hypercall1(int, event_channel_op_compat, &op);
> -
> - switch (cmd) {
> - case EVTCHNOP_close:
> - case EVTCHNOP_send:
> - case EVTCHNOP_bind_vcpu:
> - case EVTCHNOP_unmask:
> - /* no output */
> - break;
> + if (cmd > ARRAY_SIZE(evtchnop_len))
> + return -ENOSYS;

>= perhaps?

Jan