From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:49907)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <sw@weilnetz.de>) id 1Wu0js-0006mP-I5
	for qemu-devel@nongnu.org; Mon, 09 Jun 2014 10:40:02 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <sw@weilnetz.de>) id 1Wu0jm-0007VF-LP
	for qemu-devel@nongnu.org; Mon, 09 Jun 2014 10:39:56 -0400
Received: from [2a03:4000:1::4e2f:c7ac:d] (port=32823
	helo=v220110690675601.yourvserver.net)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <sw@weilnetz.de>) id 1Wu0jm-0007Uw-FV
	for qemu-devel@nongnu.org; Mon, 09 Jun 2014 10:39:50 -0400
Message-ID: <5395C72F.1030804@weilnetz.de>
Date: Mon, 09 Jun 2014 16:39:43 +0200
From: Stefan Weil <sw@weilnetz.de>
MIME-Version: 1.0
References: <1402323569-30927-1-git-send-email-sw@weilnetz.de>
In-Reply-To: <1402323569-30927-1-git-send-email-sw@weilnetz.de>
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] apb: Fix out-of-bounds array write access
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>, Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>

Am 09.06.2014 16:19, schrieb Stefan Weil:
> The array regs is declared with IOMMU_NREGS (3) elements and accessed
> using IOMMU_CTRL (0) and IOMMU_BASE (8). In most cases, those values
> are right shifted before being used as an index which results in indices
> 0 and 1. In one case, this right shift was missing for IOMMU_BASE which
> results in an out-of-bounds write access with index 8.
> 
> The patch adds the missing shift operation also for IOMMU_CTRL where
> it is needed only for cosmetic reasons.
> 
> Signed-off-by: Stefan Weil <sw@weilnetz.de>
> ---
> 
> Any reason why the array is declared with 3 elements when only the first 2
> are used?
> 
> Regards,
> Stefan
> 
>  hw/pci-host/apb.c |    6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/hw/pci-host/apb.c b/hw/pci-host/apb.c
> index 1497008..887338e 100644
> --- a/hw/pci-host/apb.c
> +++ b/hw/pci-host/apb.c
Snip here ---->
> @@ -1,4 +1,4 @@
> -/*
> +re/*

Please remove this part before applying the patch. It was added
accidentally when I added a comment to the patch file


>   * QEMU Ultrasparc APB PCI host
>   *
>   * Copyright (c) 2006 Fabrice Bellard
<---- until here.
> @@ -333,7 +333,7 @@ static void iommu_config_write(void *opaque, hwaddr addr,
>              is->regs[IOMMU_CTRL >> 3] &= 0xffffffffULL;
>              is->regs[IOMMU_CTRL >> 3] |= val << 32;
>          } else {
> -            is->regs[IOMMU_CTRL] = val;
> +            is->regs[IOMMU_CTRL >> 3] = val;
>          }
>          break;
>      case IOMMU_CTRL + 0x4:
> @@ -345,7 +345,7 @@ static void iommu_config_write(void *opaque, hwaddr addr,
>              is->regs[IOMMU_BASE >> 3] &= 0xffffffffULL;
>              is->regs[IOMMU_BASE >> 3] |= val << 32;
>          } else {
> -            is->regs[IOMMU_BASE] = val;
> +            is->regs[IOMMU_BASE >> 3] = val;
>          }
>          break;
>      case IOMMU_BASE + 0x4:
>