From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:45317)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <sw@weilnetz.de>) id 1T8xfX-0007yN-4M
	for qemu-devel@nongnu.org; Tue, 04 Sep 2012 14:16:12 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <sw@weilnetz.de>) id 1T8xfW-0006mi-10
	for qemu-devel@nongnu.org; Tue, 04 Sep 2012 14:16:11 -0400
Received: from v220110690675601.yourvserver.net ([78.47.199.172]:54551)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <sw@weilnetz.de>) id 1T8xfV-0006mW-QB
	for qemu-devel@nongnu.org; Tue, 04 Sep 2012 14:16:09 -0400
Message-ID: <50464566.5070708@weilnetz.de>
Date: Tue, 04 Sep 2012 20:16:06 +0200
From: Stefan Weil <sw@weilnetz.de>
MIME-Version: 1.0
References: <1346780259-9781-1-git-send-email-sw@weilnetz.de>
	<CAFEAcA9=T4G3uYsubPvHoi6rPdUXD4RdzWTVLGSyRg0EUgpaAw@mail.gmail.com>
	<50464475.2030101@weilnetz.de>
In-Reply-To: <50464475.2030101@weilnetz.de>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR
 read / write
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: Paul Brook <paul@codesourcery.com>, qemu-devel@nongnu.org

Am 04.09.2012 20:12, schrieb Stefan Weil:
> Am 04.09.2012 19:57, schrieb Peter Maydell:
>> On 4 September 2012 18:37, Stefan Weil <sw@weilnetz.de> wrote:
>>> Report from smatch:
>>>
>>> mcf5206.c:384 m5206_mbar_readb(7) error: buffer overflow 
>>> 'm5206_mbar_width' 128 <= 128
>>> mcf5206.c:403 m5206_mbar_readw(8) error: buffer overflow 
>>> 'm5206_mbar_width' 128 <= 128
>>> mcf5206.c:427 m5206_mbar_readl(8) error: buffer overflow 
>>> 'm5206_mbar_width' 128 <= 128
>>> mcf5206.c:451 m5206_mbar_writeb(9) error: buffer overflow 
>>> 'm5206_mbar_width' 128 <= 128
>>> mcf5206.c:475 m5206_mbar_writew(9) error: buffer overflow 
>>> 'm5206_mbar_width' 128 <= 128
>>> mcf5206.c:503 m5206_mbar_writel(9) error: buffer overflow 
>>> 'm5206_mbar_width' 128 <= 128
>>>
>>> m5206_mbar_width has 0x80 elements and supports 0 <= offset < 0x200.
>>>
>>> Signed-off-by: Stefan Weil <sw@weilnetz.de>
>> Checked against the data sheet -- last documented register is at 
>> offset $1F0,
>> so correcting the offset check rather than the array length is the 
>> correct
>> fix.
>>
>> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
>>
>> -- PMM
>
> Then m5206_mbar_width should be shortened to 124 elements
> (0x1f0 / 4) _and_ the offset check needs a correction.
>
> -- sw


Sorry, 125 elements, of course. Or are there undocumented
registers at 0x1f4, 0x1f8 and 0x1fc?

- sw