Handle copying bitmaps to larger data buffers

If a bitmap of a shorter length than the data buffer is passed to virBitmapToDataBuf, it will read off the end of the bitmap and copy junk into the returned buffer. Add a check to only copy the length of the bitmap to the buffer. The problem can be observed after setting a vcpu affinity using the vcpupin command on a system with a large number of cores: # virsh vcpupin example_domain 0 0 # virsh vcpupin example_domain 0 VCPU CPU Affinity --------------------------- 0 0,192,197-198,202 Signed-off-by: N John Allen <john.allen@amd.com>

Handle copying bitmaps to larger data buffers
If a bitmap of a shorter length than the data buffer is passed to virBitmapToDataBuf, it will read off the end of the bitmap and copy junk into the returned buffer. Add a check to only copy the length of the bitmap to the buffer. The problem can be observed after setting a vcpu affinity using the vcpupin command on a system with a large number of cores: # virsh vcpupin example_domain 0 0 # virsh vcpupin example_domain 0 VCPU CPU Affinity --------------------------- 0 0,192,197-198,202 Signed-off-by: N John Allen <john.allen@amd.com>
51f9f80d · Allen, John · Pavel Hrdina · 055af76f · 51f9f80d
隐藏空白更改
内联并排

Showing with 4 addition and 0 deletion

src/util/virbitmap.c src/util/virbitmap.c +4 -0

未找到文件。
--- a/src/util/virbitmap.c
+++ b/src/util/virbitmap.c
@@ -825,11 +825,15 @@ virBitmapToDataBuf(virBitmapPtr bitmap,
                   unsigned char *bytes,
                   size_t len)
 {
+    size_t nbytes = bitmap->map_len * (VIR_BITMAP_BITS_PER_UNIT / CHAR_BIT);
    unsigned long *l;
    size_t i, j;

    memset(bytes, 0, len);

+    /* If bitmap and buffer differ in size, only fill to the smaller length */
+    len = MIN(len, nbytes);
+
    /* htole64 is not provided by gnulib, so we do the conversion by hand */
    l = bitmap->map;
    for (i = j = 0; i < len; i++, j++) {