From: Stefan Weil <sw@weilnetz.de>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: Paul Brook <paul@codesourcery.com>, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR read / write
Date: Tue, 04 Sep 2012 20:16:06 +0200 [thread overview]
Message-ID: <50464566.5070708@weilnetz.de> (raw)
In-Reply-To: <50464475.2030101@weilnetz.de>
Am 04.09.2012 20:12, schrieb Stefan Weil:
> Am 04.09.2012 19:57, schrieb Peter Maydell:
>> On 4 September 2012 18:37, Stefan Weil <sw@weilnetz.de> wrote:
>>> Report from smatch:
>>>
>>> mcf5206.c:384 m5206_mbar_readb(7) error: buffer overflow
>>> 'm5206_mbar_width' 128 <= 128
>>> mcf5206.c:403 m5206_mbar_readw(8) error: buffer overflow
>>> 'm5206_mbar_width' 128 <= 128
>>> mcf5206.c:427 m5206_mbar_readl(8) error: buffer overflow
>>> 'm5206_mbar_width' 128 <= 128
>>> mcf5206.c:451 m5206_mbar_writeb(9) error: buffer overflow
>>> 'm5206_mbar_width' 128 <= 128
>>> mcf5206.c:475 m5206_mbar_writew(9) error: buffer overflow
>>> 'm5206_mbar_width' 128 <= 128
>>> mcf5206.c:503 m5206_mbar_writel(9) error: buffer overflow
>>> 'm5206_mbar_width' 128 <= 128
>>>
>>> m5206_mbar_width has 0x80 elements and supports 0 <= offset < 0x200.
>>>
>>> Signed-off-by: Stefan Weil <sw@weilnetz.de>
>> Checked against the data sheet -- last documented register is at
>> offset $1F0,
>> so correcting the offset check rather than the array length is the
>> correct
>> fix.
>>
>> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
>>
>> -- PMM
>
> Then m5206_mbar_width should be shortened to 124 elements
> (0x1f0 / 4) _and_ the offset check needs a correction.
>
> -- sw
Sorry, 125 elements, of course. Or are there undocumented
registers at 0x1f4, 0x1f8 and 0x1fc?
- sw
next prev parent reply other threads:[~2012-09-04 18:16 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-04 17:37 [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR read / write Stefan Weil
2012-09-04 17:57 ` Peter Maydell
2012-09-04 18:12 ` Stefan Weil
2012-09-04 18:16 ` Stefan Weil [this message]
2012-09-04 18:31 ` Peter Maydell
2012-09-10 13:18 ` Aurelien Jarno
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50464566.5070708@weilnetz.de \
--to=sw@weilnetz.de \
--cc=paul@codesourcery.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.