From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from [140.186.70.92] (port=53083 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1OGebt-0007S8-B1
	for qemu-devel@nongnu.org; Mon, 24 May 2010 16:50:59 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69)
	(envelope-from <quintela@redhat.com>) id 1OGebn-0004kO-57
	for qemu-devel@nongnu.org; Mon, 24 May 2010 16:50:52 -0400
Received: from mx1.redhat.com ([209.132.183.28]:50351)
	by eggs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <quintela@redhat.com>) id 1OGebm-0004kJ-Tp
	for qemu-devel@nongnu.org; Mon, 24 May 2010 16:50:47 -0400
From: Juan Quintela <quintela@redhat.com>
In-Reply-To: <4BFAE34E.5030000@web.de> (Jan Kiszka's message of "Mon, 24 May
	2010 22:36:30 +0200")
References: <cover.1274732025.git.jan.kiszka@web.de>
	<cover.1274732025.git.jan.kiszka@web.de>
	<8a1aa09875d202957645ecf4b8eb67db935d175c.1274732025.git.jan.kiszka@web.de>
	<m3bpc5m429.fsf@trasno.mitica> <4BFAE34E.5030000@web.de>
Date: Mon, 24 May 2010 22:50:41 +0200
Message-ID: <m339xhm3by.fsf@trasno.mitica>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: [Qemu-devel] Re: [RFT][PATCH 01/15] hpet: Catch out-of-bounds timer
	access
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Jan Kiszka <jan.kiszka@web.de>
Cc: blue Swirl <blauwirbel@gmail.com>, qemu-devel@nongnu.org

Jan Kiszka <jan.kiszka@web.de> wrote:
> Juan Quintela wrote:
>> Jan Kiszka <jan.kiszka@web.de> wrote:
>>> From: Jan Kiszka <jan.kiszka@siemens.com>
>>>
>>> Also prevent out-of-bounds write access to the timers but don't spam the
>>> host console if it triggers.
>>>
>>> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
>>> ---
>>>  hw/hpet.c |    6 +++++-
>>>  1 files changed, 5 insertions(+), 1 deletions(-)
>>>
>>> diff --git a/hw/hpet.c b/hw/hpet.c
>>> index 8729fb2..1980906 100644
>>> --- a/hw/hpet.c
>>> +++ b/hw/hpet.c
>>> @@ -294,7 +294,7 @@ static uint32_t hpet_ram_readl(void *opaque, target_phys_addr_t addr)
>>>      if (index >= 0x100 && index <= 0x3ff) {
>>>          uint8_t timer_id = (addr - 0x100) / 0x20;
>>>          if (timer_id > HPET_NUM_TIMERS - 1) {
>>> -            printf("qemu: timer id out of range\n");
>>> +            DPRINTF("qemu: timer id out of range\n");
>>>              return 0;
>>>          }
>>>          HPETTimer *timer = &s->timer[timer_id];
>>> @@ -383,6 +383,10 @@ static void hpet_ram_writel(void *opaque, target_phys_addr_t addr,
>>>          DPRINTF("qemu: hpet_ram_writel timer_id = %#x \n", timer_id);
>> 
>> if you are going to check timer_id, check it before accessing the array?
>
> That's just address arithmetic, nothing is dereferenced at this point.

hahahahahha

/me back to the pointer class.

Later, Juan.