[CRIU] [PATCH 1/3] ipc: Don't access data out of allocated slab, v2
Cyrill Gorcunov
gorcunov at gmail.com
Wed Sep 4 07:10:40 EDT 2013
On Wed, Sep 04, 2013 at 02:57:19PM +0400, Pavel Emelyanov wrote:
> > @@ -75,7 +75,7 @@ static int dump_ipc_sem_set(int fd, const IpcSemEntry *sem)
> > u16 *values;
> >
> > size = sizeof(u16) * sem->nsems;
> > - values = xmalloc(size);
> > + values = xmalloc(round_up(size, sizeof(u64)));
>
> This round_up can be put into size = ..., since it's also rounded below.
No, I use this feature later in next patches as
memzero((void *)values + size, rounded - size);
to zroify tail, instead of putting trash from heap.
> > @@ -185,7 +185,7 @@ static int dump_ipc_msg_queue_messages(int fd, const IpcMsgEntry *msq,
> > }
> >
> > msgmax += sizeof(struct msgbuf);
> > - message = xmalloc(msgmax);
> > + message = xmalloc(round_up(msgmax, sizeof(u64)));
>
> This looks useless, as nobody tries to access more than msgmax bytes below.
It's accessed during _write_ to image.
ret = write_img_buf(fd, message->mtext, round_up(msg.msize, sizeof(u64)));
> > if (message == NULL) {
> > pr_err("Failed to allocate memory for IPC message\n");
> > return -ENOMEM;
> > @@ -472,7 +472,7 @@ void ipc_sem_handler(int fd, void *obj)
> >
> > pr_msg("\n");
> > size = sizeof(u16) * e->nsems;
> > - values = xmalloc(size);
> > + values = xmalloc(round_up(size, sizeof(u64)));
>
> This round_up can be put into size = ... line as well.
Yup, attached.
More information about the CRIU
mailing list