From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from [140.186.70.92] (port=45733 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1OGeO8-0000YQ-LH
	for qemu-devel@nongnu.org; Mon, 24 May 2010 16:36:46 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69)
	(envelope-from <jan.kiszka@web.de>) id 1OGeNz-00034w-UP
	for qemu-devel@nongnu.org; Mon, 24 May 2010 16:36:39 -0400
Received: from fmmailgate03.web.de ([217.72.192.234]:42596)
	by eggs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <jan.kiszka@web.de>) id 1OGeNz-00034j-Fn
	for qemu-devel@nongnu.org; Mon, 24 May 2010 16:36:31 -0400
Message-ID: <4BFAE34E.5030000@web.de>
Date: Mon, 24 May 2010 22:36:30 +0200
From: Jan Kiszka <jan.kiszka@web.de>
MIME-Version: 1.0
References: <cover.1274732025.git.jan.kiszka@web.de>	<cover.1274732025.git.jan.kiszka@web.de>	<8a1aa09875d202957645ecf4b8eb67db935d175c.1274732025.git.jan.kiszka@web.de>
	<m3bpc5m429.fsf@trasno.mitica>
In-Reply-To: <m3bpc5m429.fsf@trasno.mitica>
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enigC76E44A59328EAF58B054CFB"
Sender: jan.kiszka@web.de
Subject: [Qemu-devel] Re: [RFT][PATCH 01/15] hpet: Catch out-of-bounds timer
	access
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Juan Quintela <quintela@redhat.com>
Cc: blue Swirl <blauwirbel@gmail.com>, qemu-devel@nongnu.org

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigC76E44A59328EAF58B054CFB
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Juan Quintela wrote:
> Jan Kiszka <jan.kiszka@web.de> wrote:
>> From: Jan Kiszka <jan.kiszka@siemens.com>
>>
>> Also prevent out-of-bounds write access to the timers but don't spam t=
he
>> host console if it triggers.
>>
>> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
>> ---
>>  hw/hpet.c |    6 +++++-
>>  1 files changed, 5 insertions(+), 1 deletions(-)
>>
>> diff --git a/hw/hpet.c b/hw/hpet.c
>> index 8729fb2..1980906 100644
>> --- a/hw/hpet.c
>> +++ b/hw/hpet.c
>> @@ -294,7 +294,7 @@ static uint32_t hpet_ram_readl(void *opaque, targe=
t_phys_addr_t addr)
>>      if (index >=3D 0x100 && index <=3D 0x3ff) {
>>          uint8_t timer_id =3D (addr - 0x100) / 0x20;
>>          if (timer_id > HPET_NUM_TIMERS - 1) {
>> -            printf("qemu: timer id out of range\n");
>> +            DPRINTF("qemu: timer id out of range\n");
>>              return 0;
>>          }
>>          HPETTimer *timer =3D &s->timer[timer_id];
>> @@ -383,6 +383,10 @@ static void hpet_ram_writel(void *opaque, target_=
phys_addr_t addr,
>>          DPRINTF("qemu: hpet_ram_writel timer_id =3D %#x \n", timer_id=
);
>=20
> if you are going to check timer_id, check it before accessing the array=
?

That's just address arithmetic, nothing is dereferenced at this point.

Jan


--------------enigC76E44A59328EAF58B054CFB
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iEYEARECAAYFAkv6404ACgkQitSsb3rl5xSwUQCg2dVB4nWSYdLgX0BGVznyxLnD
9koAoPAPzLnMddeaBoMS+xSURiu8lqB2
=jZMW
-----END PGP SIGNATURE-----

--------------enigC76E44A59328EAF58B054CFB--