From e75abae126f9fcaf1e8478f0780ecae736f7d3e1 Mon Sep 17 00:00:00 2001 Message-Id: From: "Allen, John" Date: Tue, 2 Jul 2019 17:05:34 +0200 Subject: [PATCH] Handle copying bitmaps to larger data buffers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If a bitmap of a shorter length than the data buffer is passed to virBitmapToDataBuf, it will read off the end of the bitmap and copy junk into the returned buffer. Add a check to only copy the length of the bitmap to the buffer. The problem can be observed after setting a vcpu affinity using the vcpupin command on a system with a large number of cores: # virsh vcpupin example_domain 0 0 # virsh vcpupin example_domain 0 VCPU CPU Affinity --------------------------- 0 0,192,197-198,202 Signed-off-by: John Allen (cherry picked from commit 51f9f80d350e633adf479c6a9b3c55f82ca9cbd4) https: //bugzilla.redhat.com/show_bug.cgi?id=1703160 Signed-off-by: Erik Skultety Message-Id: <1a487c4f1ba9725eb7325debeeff2861d7047890.1562079635.git.eskultet@redhat.com> Reviewed-by: Ján Tomko --- src/util/virbitmap.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/util/virbitmap.c b/src/util/virbitmap.c index 49e542a4e6..7df0a2d4f3 100644 --- a/src/util/virbitmap.c +++ b/src/util/virbitmap.c @@ -831,11 +831,15 @@ virBitmapToDataBuf(virBitmapPtr bitmap, unsigned char *bytes, size_t len) { + size_t nbytes = bitmap->map_len * (VIR_BITMAP_BITS_PER_UNIT / CHAR_BIT); unsigned long *l; size_t i, j; memset(bytes, 0, len); + /* If bitmap and buffer differ in size, only fill to the smaller length */ + len = MIN(len, nbytes); + /* htole64 is not provided by gnulib, so we do the conversion by hand */ l = bitmap->map; for (i = j = 0; i < len; i++, j++) { -- 2.22.0