From: Xiao Guangrong <guangrong.xiao@linux.intel.com>
To: Stefan Hajnoczi <stefanha@redhat.com>
Cc: pbonzini@redhat.com, imammedo@redhat.com, gleb@kernel.org,
mtosatti@redhat.com, mst@redhat.com, rth@twiddle.net,
ehabkost@redhat.com, dan.j.williams@intel.com,
kvm@vger.kernel.org, qemu-devel@nongnu.org
Subject: Re: [PATCH 4/8] nvdimm acpi: implement Read FIT function
Date: Fri, 15 Jul 2016 15:43:25 +0800 [thread overview]
Message-ID: <5788941D.1030509@linux.intel.com> (raw)
In-Reply-To: <20160714121750.GL15476@stefanha-x1.localdomain>
On 07/14/2016 08:17 PM, Stefan Hajnoczi wrote:
>> +/* Read FIT data, defined in docs/specs/acpi_nvdimm.txt. */
>> +static void nvdimm_dsm_func_read_fit(NvdimmDsmIn *in, hwaddr dsm_mem_addr)
>> +{
>> + NvdimmFuncReadFITIn *read_fit;
>> + NvdimmFuncReadFITOut *read_fit_out;
>> + GSList *device_list = nvdimm_get_plugged_device_list();
>> + GArray *fit = nvdimm_build_device_structure(device_list);
>> + uint32_t read_len = 0, func_ret_status;
>> + int left, size;
>> +
>> + read_fit = (NvdimmFuncReadFITIn *)in->arg3;
>> + le32_to_cpus(&read_fit->offset);
>> +
>> + nvdimm_debug("Read FIT: offset %#x FIT size %#x.\n", read_fit->offset,
>> + fit->len);
>> +
>> + left = fit->len - read_fit->offset;
>> + if (left < 0) {
>
> Signed integer overflow leads to memory disclosure in memcpy() below.
> The problem occurs when (guint)fit->len - (uint32_t)read_fit->offset >
> INT_MAX.
>
> Please perform the check like this:
>
> if (fit->offset >= fit->len) {
>
Ah, yes, you are right, thank you for pointing it out. Will fix it.
WARNING: multiple messages have this Message-ID (diff)
From: Xiao Guangrong <guangrong.xiao@linux.intel.com>
To: Stefan Hajnoczi <stefanha@redhat.com>
Cc: pbonzini@redhat.com, imammedo@redhat.com, gleb@kernel.org,
mtosatti@redhat.com, mst@redhat.com, rth@twiddle.net,
ehabkost@redhat.com, dan.j.williams@intel.com,
kvm@vger.kernel.org, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH 4/8] nvdimm acpi: implement Read FIT function
Date: Fri, 15 Jul 2016 15:43:25 +0800 [thread overview]
Message-ID: <5788941D.1030509@linux.intel.com> (raw)
In-Reply-To: <20160714121750.GL15476@stefanha-x1.localdomain>
On 07/14/2016 08:17 PM, Stefan Hajnoczi wrote:
>> +/* Read FIT data, defined in docs/specs/acpi_nvdimm.txt. */
>> +static void nvdimm_dsm_func_read_fit(NvdimmDsmIn *in, hwaddr dsm_mem_addr)
>> +{
>> + NvdimmFuncReadFITIn *read_fit;
>> + NvdimmFuncReadFITOut *read_fit_out;
>> + GSList *device_list = nvdimm_get_plugged_device_list();
>> + GArray *fit = nvdimm_build_device_structure(device_list);
>> + uint32_t read_len = 0, func_ret_status;
>> + int left, size;
>> +
>> + read_fit = (NvdimmFuncReadFITIn *)in->arg3;
>> + le32_to_cpus(&read_fit->offset);
>> +
>> + nvdimm_debug("Read FIT: offset %#x FIT size %#x.\n", read_fit->offset,
>> + fit->len);
>> +
>> + left = fit->len - read_fit->offset;
>> + if (left < 0) {
>
> Signed integer overflow leads to memory disclosure in memcpy() below.
> The problem occurs when (guint)fit->len - (uint32_t)read_fit->offset >
> INT_MAX.
>
> Please perform the check like this:
>
> if (fit->offset >= fit->len) {
>
Ah, yes, you are right, thank you for pointing it out. Will fix it.
next prev parent reply other threads:[~2016-07-15 7:47 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-11 13:45 [PATCH 0/8] nvdimm: hotplug support Xiao Guangrong
2016-07-11 13:45 ` [Qemu-devel] " Xiao Guangrong
2016-07-11 13:45 ` [PATCH 1/8] acpi nvdimm: fix wrong buffer size returned by DSM method Xiao Guangrong
2016-07-11 13:45 ` [Qemu-devel] " Xiao Guangrong
2016-07-11 13:45 ` [PATCH 2/8] nvdimm acpi: prebuild nvdimm devices for available slots Xiao Guangrong
2016-07-11 13:45 ` [Qemu-devel] " Xiao Guangrong
2016-07-11 13:45 ` [PATCH 3/8] nvdimm acpi: introduce _FIT Xiao Guangrong
2016-07-11 13:45 ` [Qemu-devel] " Xiao Guangrong
2016-07-11 13:45 ` [PATCH 4/8] nvdimm acpi: implement Read FIT function Xiao Guangrong
2016-07-11 13:45 ` [Qemu-devel] " Xiao Guangrong
2016-07-14 12:17 ` Stefan Hajnoczi
2016-07-14 12:17 ` [Qemu-devel] " Stefan Hajnoczi
2016-07-15 7:43 ` Xiao Guangrong [this message]
2016-07-15 7:43 ` Xiao Guangrong
2016-07-11 13:45 ` [PATCH 5/8] pc-dimm: introduce prepare_unplug() callback Xiao Guangrong
2016-07-11 13:45 ` [Qemu-devel] " Xiao Guangrong
2016-07-11 13:45 ` [PATCH 6/8] pc: memhp: do not export nvdimm's memory via _CRS Xiao Guangrong
2016-07-11 13:45 ` [Qemu-devel] " Xiao Guangrong
2016-07-11 13:45 ` [PATCH 7/8] pc: acpi: memhp: nvdimm hotplug support Xiao Guangrong
2016-07-11 13:45 ` [Qemu-devel] " Xiao Guangrong
2016-07-14 12:17 ` Stefan Hajnoczi
2016-07-14 12:17 ` [Qemu-devel] " Stefan Hajnoczi
2016-07-15 7:49 ` Xiao Guangrong
2016-07-15 7:49 ` [Qemu-devel] " Xiao Guangrong
2016-07-15 9:56 ` Stefan Hajnoczi
2016-07-11 13:45 ` [PATCH 8/8] nvdimm docs: add nvdimm Read FIT function Xiao Guangrong
2016-07-11 13:45 ` [Qemu-devel] " Xiao Guangrong
2016-07-11 14:12 ` [Qemu-devel] [PATCH 0/8] nvdimm: hotplug support Igor Mammedov
2016-07-11 22:49 ` Xiao Guangrong
2016-07-14 12:17 ` Stefan Hajnoczi
2016-07-14 12:17 ` [Qemu-devel] " Stefan Hajnoczi
2016-07-15 7:55 ` Xiao Guangrong
2016-07-15 7:55 ` [Qemu-devel] " Xiao Guangrong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5788941D.1030509@linux.intel.com \
--to=guangrong.xiao@linux.intel.com \
--cc=dan.j.williams@intel.com \
--cc=ehabkost@redhat.com \
--cc=gleb@kernel.org \
--cc=imammedo@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=mst@redhat.com \
--cc=mtosatti@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rth@twiddle.net \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.