From: Paolo Bonzini <pbonzini@redhat.com> Date: Thu, 13 Aug 2009 18:00:26 +0200 Subject: [xen] blkfront: check for out-of-bounds array accesses Message-id: 1250179227-23431-3-git-send-email-pbonzini@redhat.com O-Subject: [RHEL5.5 PATCH] BZ517238: correctly check for out-of-bounds array accesses Bugzilla: 517238 RH-Acked-by: Dean Nelson <dnelson@redhat.com> RH-Acked-by: Prarit Bhargava <prarit@redhat.com> RH-Acked-by: Don Dutile <ddutile@redhat.com> RH-Acked-by: Chris Lalancette <clalance@redhat.com> Bugzilla: https://bugzilla.redhat.com/attachment.cgi?bugid=517238 Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=1927355 Upstream: http://xenbits.xensource.com/linux-2.6.18-xen.hg?rev/922 This is a trivial fix to an out-of-bounds check. free must not be exactly BLK_RING_SIZE, but this check was missed. No testcase known triggering the BUG_ON (and hopefully there is none), hence not tested beyond booting a domU. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> diff --git a/drivers/xen/blkfront/blkfront.c b/drivers/xen/blkfront/blkfront.c index f8cba8f..438ec0d 100644 --- a/drivers/xen/blkfront/blkfront.c +++ b/drivers/xen/blkfront/blkfront.c @@ -404,7 +404,7 @@ static inline int GET_ID_FROM_FREELIST( struct blkfront_info *info) { unsigned long free = info->shadow_free; - BUG_ON(free > BLK_RING_SIZE); + BUG_ON(free >= BLK_RING_SIZE); info->shadow_free = info->shadow[free].req.id; info->shadow[free].req.id = 0x0fffffee; /* debug */ return free;