Re: [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR read / write

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Aurelien Jarno <aurelien@aurel32.net>
To: Stefan Weil <sw@weilnetz.de>
Cc: Paul Brook <paul@codesourcery.com>, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR read / write
Date: Mon, 10 Sep 2012 15:18:06 +0200	[thread overview]
Message-ID: <20120910131806.GV6791@ohm.aurel32.net> (raw)
In-Reply-To: <1346780259-9781-1-git-send-email-sw@weilnetz.de>

On Tue, Sep 04, 2012 at 07:37:39PM +0200, Stefan Weil wrote:
> Report from smatch:
> 
> mcf5206.c:384 m5206_mbar_readb(7) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> mcf5206.c:403 m5206_mbar_readw(8) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> mcf5206.c:427 m5206_mbar_readl(8) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> mcf5206.c:451 m5206_mbar_writeb(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> mcf5206.c:475 m5206_mbar_writew(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> mcf5206.c:503 m5206_mbar_writel(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> 
> m5206_mbar_width has 0x80 elements and supports 0 <= offset < 0x200.
> 
> Signed-off-by: Stefan Weil <sw@weilnetz.de>
> ---
>  hw/mcf5206.c |   12 ++++++------
>  1 file changed, 6 insertions(+), 6 deletions(-)
> 
> diff --git a/hw/mcf5206.c b/hw/mcf5206.c
> index 539b391..27753e2 100644
> --- a/hw/mcf5206.c
> +++ b/hw/mcf5206.c
> @@ -378,7 +378,7 @@ static uint32_t m5206_mbar_readb(void *opaque, target_phys_addr_t offset)
>  {
>      m5206_mbar_state *s = (m5206_mbar_state *)opaque;
>      offset &= 0x3ff;
> -    if (offset > 0x200) {
> +    if (offset >= 0x200) {
>          hw_error("Bad MBAR read offset 0x%x", (int)offset);
>      }
>      if (m5206_mbar_width[offset >> 2] > 1) {
> @@ -397,7 +397,7 @@ static uint32_t m5206_mbar_readw(void *opaque, target_phys_addr_t offset)
>      m5206_mbar_state *s = (m5206_mbar_state *)opaque;
>      int width;
>      offset &= 0x3ff;
> -    if (offset > 0x200) {
> +    if (offset >= 0x200) {
>          hw_error("Bad MBAR read offset 0x%x", (int)offset);
>      }
>      width = m5206_mbar_width[offset >> 2];
> @@ -421,7 +421,7 @@ static uint32_t m5206_mbar_readl(void *opaque, target_phys_addr_t offset)
>      m5206_mbar_state *s = (m5206_mbar_state *)opaque;
>      int width;
>      offset &= 0x3ff;
> -    if (offset > 0x200) {
> +    if (offset >= 0x200) {
>          hw_error("Bad MBAR read offset 0x%x", (int)offset);
>      }
>      width = m5206_mbar_width[offset >> 2];
> @@ -445,7 +445,7 @@ static void m5206_mbar_writeb(void *opaque, target_phys_addr_t offset,
>      m5206_mbar_state *s = (m5206_mbar_state *)opaque;
>      int width;
>      offset &= 0x3ff;
> -    if (offset > 0x200) {
> +    if (offset >= 0x200) {
>          hw_error("Bad MBAR write offset 0x%x", (int)offset);
>      }
>      width = m5206_mbar_width[offset >> 2];
> @@ -469,7 +469,7 @@ static void m5206_mbar_writew(void *opaque, target_phys_addr_t offset,
>      m5206_mbar_state *s = (m5206_mbar_state *)opaque;
>      int width;
>      offset &= 0x3ff;
> -    if (offset > 0x200) {
> +    if (offset >= 0x200) {
>          hw_error("Bad MBAR write offset 0x%x", (int)offset);
>      }
>      width = m5206_mbar_width[offset >> 2];
> @@ -497,7 +497,7 @@ static void m5206_mbar_writel(void *opaque, target_phys_addr_t offset,
>      m5206_mbar_state *s = (m5206_mbar_state *)opaque;
>      int width;
>      offset &= 0x3ff;
> -    if (offset > 0x200) {
> +    if (offset >= 0x200) {
>          hw_error("Bad MBAR write offset 0x%x", (int)offset);
>      }
>      width = m5206_mbar_width[offset >> 2];
> -- 
> 1.7.10
> 

Thanks, applied.

-- 
Aurelien Jarno                          GPG: 1024D/F1BCDB73
aurelien@aurel32.net                 http://www.aurel32.net

     prev parent reply	other threads:[~2012-09-10 13:18 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-09-04 17:37 [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR read / write Stefan Weil
2012-09-04 17:57 ` Peter Maydell
2012-09-04 18:12   ` Stefan Weil
2012-09-04 18:16     ` Stefan Weil
2012-09-04 18:31       ` Peter Maydell
2012-09-10 13:18 ` Aurelien Jarno [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120910131806.GV6791@ohm.aurel32.net \
    --to=aurelien@aurel32.net \
    --cc=paul@codesourcery.com \
    --cc=qemu-devel@nongnu.org \
    --cc=sw@weilnetz.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.