From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:42540)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <sw@weilnetz.de>) id 1T8xbd-00057d-P7
	for qemu-devel@nongnu.org; Tue, 04 Sep 2012 14:12:10 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <sw@weilnetz.de>) id 1T8xbc-0005AO-QQ
	for qemu-devel@nongnu.org; Tue, 04 Sep 2012 14:12:09 -0400
Received: from v220110690675601.yourvserver.net ([78.47.199.172]:53741)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <sw@weilnetz.de>) id 1T8xbc-00059r-KL
	for qemu-devel@nongnu.org; Tue, 04 Sep 2012 14:12:08 -0400
Message-ID: <50464475.2030101@weilnetz.de>
Date: Tue, 04 Sep 2012 20:12:05 +0200
From: Stefan Weil <sw@weilnetz.de>
MIME-Version: 1.0
References: <1346780259-9781-1-git-send-email-sw@weilnetz.de>
	<CAFEAcA9=T4G3uYsubPvHoi6rPdUXD4RdzWTVLGSyRg0EUgpaAw@mail.gmail.com>
In-Reply-To: <CAFEAcA9=T4G3uYsubPvHoi6rPdUXD4RdzWTVLGSyRg0EUgpaAw@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR
 read / write
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: Paul Brook <paul@codesourcery.com>, qemu-devel@nongnu.org

Am 04.09.2012 19:57, schrieb Peter Maydell:
> On 4 September 2012 18:37, Stefan Weil <sw@weilnetz.de> wrote:
>> Report from smatch:
>>
>> mcf5206.c:384 m5206_mbar_readb(7) error: buffer overflow 'm5206_mbar_width' 128 <= 128
>> mcf5206.c:403 m5206_mbar_readw(8) error: buffer overflow 'm5206_mbar_width' 128 <= 128
>> mcf5206.c:427 m5206_mbar_readl(8) error: buffer overflow 'm5206_mbar_width' 128 <= 128
>> mcf5206.c:451 m5206_mbar_writeb(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
>> mcf5206.c:475 m5206_mbar_writew(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
>> mcf5206.c:503 m5206_mbar_writel(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
>>
>> m5206_mbar_width has 0x80 elements and supports 0 <= offset < 0x200.
>>
>> Signed-off-by: Stefan Weil <sw@weilnetz.de>
> Checked against the data sheet -- last documented register is at offset $1F0,
> so correcting the offset check rather than the array length is the correct
> fix.
>
> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
>
> -- PMM

Then m5206_mbar_width should be shortened to 124 elements
(0x1f0 / 4) _and_ the offset check needs a correction.

-- sw