Re: [Xen-devel] [PATCH] tools: Fix wild memory allocations from c/s 250f0b4 and 85d78b4
On Mon, 2015-05-18 at 14:03 +0100, Wei Liu wrote: On Mon, May 18, 2015 at 01:57:24PM +0100, Andrew Cooper wrote: These changesets cause the respective libxc functions to unconditonally dereference their max_cpus/nodes parameters as part of initial memory allocations. It will fail at obtaining the correct number of cpus/nodes from Xen, as the guest handles will not be NULL. Signed-off-by: Andrew Cooper andrew.coop...@citrix.com CC: Ian Campbell ian.campb...@citrix.com CC: Ian Jackson ian.jack...@eu.citrix.com CC: Wei Liu wei.l...@citrix.com CC: Boris Ostrovsky boris.ostrov...@oracle.com Acked-by: Wei Liu wei.l...@citrix.com Applied, thanks. ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] tools: Fix wild memory allocations from c/s 250f0b4 and 85d78b4
On 18/05/15 15:34, Boris Ostrovsky wrote: On 05/18/2015 10:09 AM, Andrew Cooper wrote: On 18/05/15 15:00, Boris Ostrovsky wrote: On 05/18/2015 08:57 AM, Andrew Cooper wrote: These changesets cause the respective libxc functions to unconditonally dereference their max_cpus/nodes parameters as part of initial memory allocations. It will fail at obtaining the correct number of cpus/nodes from Xen, as the guest handles will not be NULL. Signed-off-by: Andrew Cooper andrew.coop...@citrix.com CC: Ian Campbell ian.campb...@citrix.com CC: Ian Jackson ian.jack...@eu.citrix.com CC: Wei Liu wei.l...@citrix.com CC: Boris Ostrovsky boris.ostrov...@oracle.com --- Spotted by XenServers Coverity run. --- tools/libxl/libxl.c |4 ++-- tools/misc/xenpm.c|4 ++-- tools/python/xen/lowlevel/xc/xc.c |4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) xenpm bug is already fixed (commit b315cd9cce5b6da7ca89b2d7bad3fb01e7716044 n the staging tree). I am not sure I understand why Coverity complains about other spots. For example, in libxl_get_cpu_topology() num_cpus can be left uninitialized only if xc_cputopoinfo(ctx-xch, num_cpus, NULL) fails, in which case we go to 'GC_FREE; return ret;', so it's not ever used. xc_cputopoinfo(ctx-xch, num_cpus, NULL) unconditionally dereferences and reads num_cpus, and performs a memory allocation based on the result. Ah, OK. xc_cputopoinf() (or, rather, the hypervisor) actually doesn't use the value of dereferenced num_cpus in this case but obviously Coverity can't know about this. So Coverity cross-checks routines to see how callers use the arguments? xc_cputopoinfo(ctx-xch, num_cpus, NULL) dereferences num_cpus as part of its DECLARE_HYPERCALL_BUFFER()s. All of this happens before getting anywhere near the hypervisor. ~Andrew ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] tools: Fix wild memory allocations from c/s 250f0b4 and 85d78b4
On 05/18/2015 10:09 AM, Andrew Cooper wrote: On 18/05/15 15:00, Boris Ostrovsky wrote: On 05/18/2015 08:57 AM, Andrew Cooper wrote: These changesets cause the respective libxc functions to unconditonally dereference their max_cpus/nodes parameters as part of initial memory allocations. It will fail at obtaining the correct number of cpus/nodes from Xen, as the guest handles will not be NULL. Signed-off-by: Andrew Cooper andrew.coop...@citrix.com CC: Ian Campbell ian.campb...@citrix.com CC: Ian Jackson ian.jack...@eu.citrix.com CC: Wei Liu wei.l...@citrix.com CC: Boris Ostrovsky boris.ostrov...@oracle.com --- Spotted by XenServers Coverity run. --- tools/libxl/libxl.c |4 ++-- tools/misc/xenpm.c|4 ++-- tools/python/xen/lowlevel/xc/xc.c |4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) xenpm bug is already fixed (commit b315cd9cce5b6da7ca89b2d7bad3fb01e7716044 n the staging tree). I am not sure I understand why Coverity complains about other spots. For example, in libxl_get_cpu_topology() num_cpus can be left uninitialized only if xc_cputopoinfo(ctx-xch, num_cpus, NULL) fails, in which case we go to 'GC_FREE; return ret;', so it's not ever used. xc_cputopoinfo(ctx-xch, num_cpus, NULL) unconditionally dereferences and reads num_cpus, and performs a memory allocation based on the result. Ah, OK. xc_cputopoinf() (or, rather, the hypervisor) actually doesn't use the value of dereferenced num_cpus in this case but obviously Coverity can't know about this. So Coverity cross-checks routines to see how callers use the arguments? -boris ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] tools: Fix wild memory allocations from c/s 250f0b4 and 85d78b4
On 18/05/15 15:00, Boris Ostrovsky wrote: On 05/18/2015 08:57 AM, Andrew Cooper wrote: These changesets cause the respective libxc functions to unconditonally dereference their max_cpus/nodes parameters as part of initial memory allocations. It will fail at obtaining the correct number of cpus/nodes from Xen, as the guest handles will not be NULL. Signed-off-by: Andrew Cooper andrew.coop...@citrix.com CC: Ian Campbell ian.campb...@citrix.com CC: Ian Jackson ian.jack...@eu.citrix.com CC: Wei Liu wei.l...@citrix.com CC: Boris Ostrovsky boris.ostrov...@oracle.com --- Spotted by XenServers Coverity run. --- tools/libxl/libxl.c |4 ++-- tools/misc/xenpm.c|4 ++-- tools/python/xen/lowlevel/xc/xc.c |4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) xenpm bug is already fixed (commit b315cd9cce5b6da7ca89b2d7bad3fb01e7716044 n the staging tree). I am not sure I understand why Coverity complains about other spots. For example, in libxl_get_cpu_topology() num_cpus can be left uninitialized only if xc_cputopoinfo(ctx-xch, num_cpus, NULL) fails, in which case we go to 'GC_FREE; return ret;', so it's not ever used. xc_cputopoinfo(ctx-xch, num_cpus, NULL) unconditionally dereferences and reads num_cpus, and performs a memory allocation based on the result. ~Andrew ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] tools: Fix wild memory allocations from c/s 250f0b4 and 85d78b4
On Mon, May 18, 2015 at 01:57:24PM +0100, Andrew Cooper wrote: These changesets cause the respective libxc functions to unconditonally dereference their max_cpus/nodes parameters as part of initial memory allocations. It will fail at obtaining the correct number of cpus/nodes from Xen, as the guest handles will not be NULL. Signed-off-by: Andrew Cooper andrew.coop...@citrix.com CC: Ian Campbell ian.campb...@citrix.com CC: Ian Jackson ian.jack...@eu.citrix.com CC: Wei Liu wei.l...@citrix.com CC: Boris Ostrovsky boris.ostrov...@oracle.com Acked-by: Wei Liu wei.l...@citrix.com ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] tools: Fix wild memory allocations from c/s 250f0b4 and 85d78b4
On 05/18/2015 08:57 AM, Andrew Cooper wrote:
These changesets cause the respective libxc functions to unconditonally
dereference their max_cpus/nodes parameters as part of initial memory
allocations. It will fail at obtaining the correct number of cpus/nodes from
Xen, as the guest handles will not be NULL.
Signed-off-by: Andrew Cooper andrew.coop...@citrix.com
CC: Ian Campbell ian.campb...@citrix.com
CC: Ian Jackson ian.jack...@eu.citrix.com
CC: Wei Liu wei.l...@citrix.com
CC: Boris Ostrovsky boris.ostrov...@oracle.com
---
Spotted by XenServers Coverity run.
---
tools/libxl/libxl.c |4 ++--
tools/misc/xenpm.c|4 ++--
tools/python/xen/lowlevel/xc/xc.c |4 ++--
3 files changed, 6 insertions(+), 6 deletions(-)
xenpm bug is already fixed (commit
b315cd9cce5b6da7ca89b2d7bad3fb01e7716044 n the staging tree).
I am not sure I understand why Coverity complains about other spots. For
example, in libxl_get_cpu_topology() num_cpus can be left uninitialized
only if xc_cputopoinfo(ctx-xch, num_cpus, NULL) fails, in which case
we go to 'GC_FREE; return ret;', so it's not ever used.
-boris
diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
index a6eb2df..295877b 100644
--- a/tools/libxl/libxl.c
+++ b/tools/libxl/libxl.c
@@ -5105,7 +5105,7 @@ libxl_cputopology *libxl_get_cpu_topology(libxl_ctx *ctx,
int *nb_cpu_out)
xc_cputopo_t *cputopo;
libxl_cputopology *ret = NULL;
int i;
-unsigned num_cpus;
+unsigned num_cpus = 0;
/* Setting buffer to NULL makes the call return number of CPUs */
if (xc_cputopoinfo(ctx-xch, num_cpus, NULL))
@@ -5191,7 +5191,7 @@ libxl_numainfo *libxl_get_numainfo(libxl_ctx *ctx, int
*nr)
uint32_t *distance;
libxl_numainfo *ret = NULL;
int i, j;
-unsigned num_nodes;
+unsigned num_nodes = 0;
if (xc_numainfo(ctx-xch, num_nodes, NULL, NULL)) {
LOGE(ERROR, Unable to determine number of nodes);
diff --git a/tools/misc/xenpm.c b/tools/misc/xenpm.c
index fe2c001..2f9bd8e 100644
--- a/tools/misc/xenpm.c
+++ b/tools/misc/xenpm.c
@@ -356,7 +356,7 @@ static void signal_int_handler(int signo)
struct timeval tv;
int cx_cap = 0, px_cap = 0;
xc_cputopo_t *cputopo = NULL;
-unsigned max_cpus;
+unsigned max_cpus = 0;
if ( xc_cputopoinfo(xc_handle, max_cpus, NULL) != 0 )
{
@@ -961,7 +961,7 @@ void scaling_governor_func(int argc, char *argv[])
void cpu_topology_func(int argc, char *argv[])
{
xc_cputopo_t *cputopo = NULL;
-unsigned max_cpus;
+unsigned max_cpus = 0;
int i, rc;
if ( xc_cputopoinfo(xc_handle, max_cpus, NULL) != 0 )
diff --git a/tools/python/xen/lowlevel/xc/xc.c
b/tools/python/xen/lowlevel/xc/xc.c
index fbd93db..c77e15b 100644
--- a/tools/python/xen/lowlevel/xc/xc.c
+++ b/tools/python/xen/lowlevel/xc/xc.c
@@ -1221,7 +1221,7 @@ static PyObject *pyxc_getcpuinfo(XcObject *self, PyObject
*args, PyObject *kwds)
static PyObject *pyxc_topologyinfo(XcObject *self)
{
xc_cputopo_t *cputopo = NULL;
-unsigned i, num_cpus;
+unsigned i, num_cpus = 0;
PyObject *ret_obj = NULL;
PyObject *cpu_to_core_obj, *cpu_to_socket_obj, *cpu_to_node_obj;
@@ -1293,7 +1293,7 @@ static PyObject *pyxc_topologyinfo(XcObject *self)
static PyObject *pyxc_numainfo(XcObject *self)
{
-unsigned i, j, num_nodes;
+unsigned i, j, num_nodes = 0;
uint64_t free_heap;
PyObject *ret_obj = NULL, *node_to_node_dist_list_obj;
PyObject *node_to_memsize_obj, *node_to_memfree_obj;
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
[Xen-devel] [PATCH] tools: Fix wild memory allocations from c/s 250f0b4 and 85d78b4
These changesets cause the respective libxc functions to unconditonally
dereference their max_cpus/nodes parameters as part of initial memory
allocations. It will fail at obtaining the correct number of cpus/nodes from
Xen, as the guest handles will not be NULL.
Signed-off-by: Andrew Cooper andrew.coop...@citrix.com
CC: Ian Campbell ian.campb...@citrix.com
CC: Ian Jackson ian.jack...@eu.citrix.com
CC: Wei Liu wei.l...@citrix.com
CC: Boris Ostrovsky boris.ostrov...@oracle.com
---
Spotted by XenServers Coverity run.
---
tools/libxl/libxl.c |4 ++--
tools/misc/xenpm.c|4 ++--
tools/python/xen/lowlevel/xc/xc.c |4 ++--
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
index a6eb2df..295877b 100644
--- a/tools/libxl/libxl.c
+++ b/tools/libxl/libxl.c
@@ -5105,7 +5105,7 @@ libxl_cputopology *libxl_get_cpu_topology(libxl_ctx *ctx,
int *nb_cpu_out)
xc_cputopo_t *cputopo;
libxl_cputopology *ret = NULL;
int i;
-unsigned num_cpus;
+unsigned num_cpus = 0;
/* Setting buffer to NULL makes the call return number of CPUs */
if (xc_cputopoinfo(ctx-xch, num_cpus, NULL))
@@ -5191,7 +5191,7 @@ libxl_numainfo *libxl_get_numainfo(libxl_ctx *ctx, int
*nr)
uint32_t *distance;
libxl_numainfo *ret = NULL;
int i, j;
-unsigned num_nodes;
+unsigned num_nodes = 0;
if (xc_numainfo(ctx-xch, num_nodes, NULL, NULL)) {
LOGE(ERROR, Unable to determine number of nodes);
diff --git a/tools/misc/xenpm.c b/tools/misc/xenpm.c
index fe2c001..2f9bd8e 100644
--- a/tools/misc/xenpm.c
+++ b/tools/misc/xenpm.c
@@ -356,7 +356,7 @@ static void signal_int_handler(int signo)
struct timeval tv;
int cx_cap = 0, px_cap = 0;
xc_cputopo_t *cputopo = NULL;
-unsigned max_cpus;
+unsigned max_cpus = 0;
if ( xc_cputopoinfo(xc_handle, max_cpus, NULL) != 0 )
{
@@ -961,7 +961,7 @@ void scaling_governor_func(int argc, char *argv[])
void cpu_topology_func(int argc, char *argv[])
{
xc_cputopo_t *cputopo = NULL;
-unsigned max_cpus;
+unsigned max_cpus = 0;
int i, rc;
if ( xc_cputopoinfo(xc_handle, max_cpus, NULL) != 0 )
diff --git a/tools/python/xen/lowlevel/xc/xc.c
b/tools/python/xen/lowlevel/xc/xc.c
index fbd93db..c77e15b 100644
--- a/tools/python/xen/lowlevel/xc/xc.c
+++ b/tools/python/xen/lowlevel/xc/xc.c
@@ -1221,7 +1221,7 @@ static PyObject *pyxc_getcpuinfo(XcObject *self, PyObject
*args, PyObject *kwds)
static PyObject *pyxc_topologyinfo(XcObject *self)
{
xc_cputopo_t *cputopo = NULL;
-unsigned i, num_cpus;
+unsigned i, num_cpus = 0;
PyObject *ret_obj = NULL;
PyObject *cpu_to_core_obj, *cpu_to_socket_obj, *cpu_to_node_obj;
@@ -1293,7 +1293,7 @@ static PyObject *pyxc_topologyinfo(XcObject *self)
static PyObject *pyxc_numainfo(XcObject *self)
{
-unsigned i, j, num_nodes;
+unsigned i, j, num_nodes = 0;
uint64_t free_heap;
PyObject *ret_obj = NULL, *node_to_node_dist_list_obj;
PyObject *node_to_memsize_obj, *node_to_memfree_obj;
--
1.7.10.4
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
