From: Gonglei <arei.gonglei@huawei.com>
To: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: qemu-trivial@nongnu.org, qemu-devel@nongnu.org,
peter.huangpeng@huawei.com
Subject: Re: [Qemu-trivial] [PATCH 2/2] xen-pt: fix Out-of-bounds read
Date: Tue, 10 Feb 2015 15:19:35 +0800 [thread overview]
Message-ID: <54D9B107.3070002@huawei.com> (raw)
In-Reply-To: <alpine.DEB.2.02.1502100700180.29696@kaball.uk.xensource.com>
On 2015/2/10 15:00, Stefano Stabellini wrote:
> On Tue, 10 Feb 2015, Gonglei wrote:
>> On 2015/2/10 14:39, Stefano Stabellini wrote:
>>> On Sat, 31 Jan 2015, arei.gonglei@huawei.com wrote:
>>>> From: Gonglei <arei.gonglei@huawei.com>
>>>>
>>>> The array length of s->real_device.io_regions[] is
>>>> "PCI_NUM_REGIONS - 1". Add a check, just make Coverity happy.
>>>>
>>>> Signed-off-by: Gonglei <arei.gonglei@huawei.com>
>>>> ---
>>>> hw/xen/xen_pt_config_init.c | 5 +++++
>>>> 1 file changed, 5 insertions(+)
>>>>
>>>> diff --git a/hw/xen/xen_pt_config_init.c b/hw/xen/xen_pt_config_init.c
>>>> index 710fe50..3c8b0f1 100644
>>>> --- a/hw/xen/xen_pt_config_init.c
>>>> +++ b/hw/xen/xen_pt_config_init.c
>>>> @@ -443,6 +443,11 @@ static int xen_pt_bar_reg_read(XenPCIPassthroughState *s, XenPTReg *cfg_entry,
>>>> return -1;
>>>> }
>>>>
>>>> + if (index == PCI_ROM_SLOT) {
>>>> + XEN_PT_ERR(&s->dev, "Internal error: Access violation at ROM BAR.\n");
>>>> + return -1;
>>>> + }
>>>
>>> Could you please fix the boundaries of the check just above?
>>> Also please avoid using PCI_ROM_SLOT for the array index check, simply
>>> use PCI_NUM_REGIONS.
>>>
>> You meaning is changing the below check:
>>
>> if (index < 0 || index >= PCI_NUM_REGIONS - 1) {
>> XEN_PT_ERR(&s->dev, "Internal error: Invalid BAR index [%d].\n", index);
>> return -1;
>> }
>>
>> Isn't it?
>
> that's right
>
OK, will do, thanks.
Regards,
-Gonglei
WARNING: multiple messages have this Message-ID (diff)
From: Gonglei <arei.gonglei@huawei.com>
To: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: qemu-trivial@nongnu.org, qemu-devel@nongnu.org,
peter.huangpeng@huawei.com
Subject: Re: [Qemu-devel] [PATCH 2/2] xen-pt: fix Out-of-bounds read
Date: Tue, 10 Feb 2015 15:19:35 +0800 [thread overview]
Message-ID: <54D9B107.3070002@huawei.com> (raw)
In-Reply-To: <alpine.DEB.2.02.1502100700180.29696@kaball.uk.xensource.com>
On 2015/2/10 15:00, Stefano Stabellini wrote:
> On Tue, 10 Feb 2015, Gonglei wrote:
>> On 2015/2/10 14:39, Stefano Stabellini wrote:
>>> On Sat, 31 Jan 2015, arei.gonglei@huawei.com wrote:
>>>> From: Gonglei <arei.gonglei@huawei.com>
>>>>
>>>> The array length of s->real_device.io_regions[] is
>>>> "PCI_NUM_REGIONS - 1". Add a check, just make Coverity happy.
>>>>
>>>> Signed-off-by: Gonglei <arei.gonglei@huawei.com>
>>>> ---
>>>> hw/xen/xen_pt_config_init.c | 5 +++++
>>>> 1 file changed, 5 insertions(+)
>>>>
>>>> diff --git a/hw/xen/xen_pt_config_init.c b/hw/xen/xen_pt_config_init.c
>>>> index 710fe50..3c8b0f1 100644
>>>> --- a/hw/xen/xen_pt_config_init.c
>>>> +++ b/hw/xen/xen_pt_config_init.c
>>>> @@ -443,6 +443,11 @@ static int xen_pt_bar_reg_read(XenPCIPassthroughState *s, XenPTReg *cfg_entry,
>>>> return -1;
>>>> }
>>>>
>>>> + if (index == PCI_ROM_SLOT) {
>>>> + XEN_PT_ERR(&s->dev, "Internal error: Access violation at ROM BAR.\n");
>>>> + return -1;
>>>> + }
>>>
>>> Could you please fix the boundaries of the check just above?
>>> Also please avoid using PCI_ROM_SLOT for the array index check, simply
>>> use PCI_NUM_REGIONS.
>>>
>> You meaning is changing the below check:
>>
>> if (index < 0 || index >= PCI_NUM_REGIONS - 1) {
>> XEN_PT_ERR(&s->dev, "Internal error: Invalid BAR index [%d].\n", index);
>> return -1;
>> }
>>
>> Isn't it?
>
> that's right
>
OK, will do, thanks.
Regards,
-Gonglei
next prev parent reply other threads:[~2015-02-10 7:20 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-31 7:27 [Qemu-trivial] [PATCH 0/2] xen_pt: fix two Coverity defects arei.gonglei
2015-01-31 7:27 ` [Qemu-devel] " arei.gonglei
2015-01-31 7:27 ` [Qemu-trivial] [PATCH 1/2] xen-pt: fix Negative array index read arei.gonglei
2015-01-31 7:27 ` [Qemu-devel] " arei.gonglei
2015-02-10 6:40 ` [Qemu-trivial] " Stefano Stabellini
2015-02-10 6:40 ` [Qemu-devel] " Stefano Stabellini
2015-01-31 7:27 ` [Qemu-trivial] [PATCH 2/2] xen-pt: fix Out-of-bounds read arei.gonglei
2015-01-31 7:27 ` [Qemu-devel] " arei.gonglei
2015-02-10 6:39 ` [Qemu-trivial] " Stefano Stabellini
2015-02-10 6:39 ` [Qemu-devel] " Stefano Stabellini
2015-02-10 6:49 ` [Qemu-trivial] " Gonglei
2015-02-10 6:49 ` [Qemu-devel] " Gonglei
2015-02-10 7:00 ` [Qemu-trivial] " Stefano Stabellini
2015-02-10 7:00 ` [Qemu-devel] " Stefano Stabellini
2015-02-10 7:19 ` Gonglei [this message]
2015-02-10 7:19 ` Gonglei
2015-02-09 2:37 ` [Qemu-trivial] [PATCH 0/2] xen_pt: fix two Coverity defects Gonglei
2015-02-09 2:37 ` [Qemu-devel] " Gonglei
2015-02-10 18:52 ` [Qemu-trivial] " Michael Tokarev
2015-02-10 18:52 ` [Qemu-devel] " Michael Tokarev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54D9B107.3070002@huawei.com \
--to=arei.gonglei@huawei.com \
--cc=peter.huangpeng@huawei.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-trivial@nongnu.org \
--cc=stefano.stabellini@eu.citrix.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.