Re: [Qemu-devel] [PATVH v2] net: ne2000: fix bounds check in ioport operations

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jason Wang <jasowang@redhat.com>
To: P J P <ppandit@redhat.com>
Cc: Ling Liu <liuling-it@360.cn>,
	Prasad J Pandit <pjp@fedoraproject.org>,
	QEMU Developers <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] [PATVH v2] net: ne2000: fix bounds check in ioport operations
Date: Thu, 31 Dec 2015 15:18:04 +0800	[thread overview]
Message-ID: <5684D6AC.7030701@redhat.com> (raw)
In-Reply-To: <alpine.LFD.2.20.1512311120590.16883@wniryva>



On 12/31/2015 01:56 PM, P J P wrote:
> +-- On Thu, 31 Dec 2015, Jason Wang wrote --+
> | > -        (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
> | > +    if (addr < 32 || (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
> | 
> | The change is unnecessary.
>
>   Okay.
>  
> | > +    if (addr < 32
> | > +        || (addr >= NE2000_PMEM_START
> | > +            && addr + sizeof(uint16_t) < NE2000_MEM_SIZE)) {
> | 
> | I think you mean '<=' instead of '<' here? (And for the other checks below).
>
>   I think <= would lead to an off-by-one, no?

The real byte we could touch is in fact addr + sizeof(uint16_t) -1 here.

Consider we should allow double bytes access at NE2000_MEM_SIZE - 2, but
this patch forbids this.

Btw, looking at ne2000_mem_writew(), it has:

addr &= ~1;

at the beginning, so looks like we are really safe,  Need only to care
about writel?

>  As the last array index would be 
> one less than the size; Same as ne2000_mem_readb() above.
>
> Thank you.
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

next prev parent reply	other threads:[~2015-12-31  7:18 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-12-31  4:53 [Qemu-devel] [PATVH v2] net: ne2000: fix bounds check in ioport operations P J P
2015-12-31  5:20 ` Jason Wang
2015-12-31  5:56   ` P J P
2015-12-31  7:18     ` Jason Wang [this message]
2015-12-31 11:49       ` P J P

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5684D6AC.7030701@redhat.com \
    --to=jasowang@redhat.com \
    --cc=liuling-it@360.cn \
    --cc=pjp@fedoraproject.org \
    --cc=ppandit@redhat.com \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.