On Fri, Sep 21, 2018 at 08:56:45PM +0200, Daniel Kiper wrote: > On Wed, Sep 19, 2018 at 10:34:47AM +0100, Wei Liu wrote: > > Hi Daniel, > > > > I discovered an out of bounds access issue related to GRUB relocation > > code path when inspecting early boot code. > > > > 9589927e5b changed an EFI only path to work with GRUB. Yet the following > > two lines within an if condition remained untouched. > > > > mod[mbi->mods_count].mod_start = virt_to_mfn(_stext); > > mod[mbi->mods_count].mod_end = __2M_rwdata_end - _stext; > > > > Before your change they were fine because the mod array was created one > > element larger in Xen (see e22e1c47958a). I don't think GRUB does the > > same. So this is an out of bounds access for GRUB case. > > You are right! I will post a fix next week.
I think that the issue can be quickly fixed by changing line 180 in xen/arch/x86/boot/reloc.c with: mbi_out->mods_addr = alloc_mem((mbi_out->mods_count + 1) * sizeof(*mbi_out_mods)); This way we will get extra space for Xen hypervisor if it is needed. If you are OK with that fix I will post a patch. Daniel _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
