From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from [140.186.70.92] (port=45403 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1OGeMj-0007u7-58
	for qemu-devel@nongnu.org; Mon, 24 May 2010 16:35:19 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69)
	(envelope-from <quintela@redhat.com>) id 1OGeMU-0002sk-5T
	for qemu-devel@nongnu.org; Mon, 24 May 2010 16:35:07 -0400
Received: from mx1.redhat.com ([209.132.183.28]:21558)
	by eggs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <quintela@redhat.com>) id 1OGeMT-0002sX-UF
	for qemu-devel@nongnu.org; Mon, 24 May 2010 16:34:58 -0400
From: Juan Quintela <quintela@redhat.com>
In-Reply-To: <8a1aa09875d202957645ecf4b8eb67db935d175c.1274732025.git.jan.kiszka@web.de>
	(Jan Kiszka's message of "Mon, 24 May 2010 22:13:34 +0200")
References: <cover.1274732025.git.jan.kiszka@web.de>
	<cover.1274732025.git.jan.kiszka@web.de>
	<8a1aa09875d202957645ecf4b8eb67db935d175c.1274732025.git.jan.kiszka@web.de>
Date: Mon, 24 May 2010 22:34:54 +0200
Message-ID: <m3bpc5m429.fsf@trasno.mitica>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: [Qemu-devel] Re: [RFT][PATCH 01/15] hpet: Catch out-of-bounds timer
	access
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Jan Kiszka <jan.kiszka@web.de>
Cc: blue Swirl <blauwirbel@gmail.com>, Jan Kiszka <jan.kiszka@siemens.com>, qemu-devel@nongnu.org

Jan Kiszka <jan.kiszka@web.de> wrote:
> From: Jan Kiszka <jan.kiszka@siemens.com>
>
> Also prevent out-of-bounds write access to the timers but don't spam the
> host console if it triggers.
>
> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> ---
>  hw/hpet.c |    6 +++++-
>  1 files changed, 5 insertions(+), 1 deletions(-)
>
> diff --git a/hw/hpet.c b/hw/hpet.c
> index 8729fb2..1980906 100644
> --- a/hw/hpet.c
> +++ b/hw/hpet.c
> @@ -294,7 +294,7 @@ static uint32_t hpet_ram_readl(void *opaque, target_phys_addr_t addr)
>      if (index >= 0x100 && index <= 0x3ff) {
>          uint8_t timer_id = (addr - 0x100) / 0x20;
>          if (timer_id > HPET_NUM_TIMERS - 1) {
> -            printf("qemu: timer id out of range\n");
> +            DPRINTF("qemu: timer id out of range\n");
>              return 0;
>          }
>          HPETTimer *timer = &s->timer[timer_id];
> @@ -383,6 +383,10 @@ static void hpet_ram_writel(void *opaque, target_phys_addr_t addr,
>          DPRINTF("qemu: hpet_ram_writel timer_id = %#x \n", timer_id);

if you are going to check timer_id, check it before accessing the array?

>          HPETTimer *timer = &s->timer[timer_id];
>  
> +        if (timer_id > HPET_NUM_TIMERS - 1) {
> +            DPRINTF("qemu: timer id out of range\n");
> +            return;
> +        }
>          switch ((addr - 0x100) % 0x20) {
>              case HPET_TN_CFG:
>                  DPRINTF("qemu: hpet_ram_writel HPET_TN_CFG\n");