From: Corey Minyard <tcminyard@gmail.com>
To: "Philippe Mathieu-Daudé" <philmd@redhat.com>,
"Corey Minyard" <cminyard@mvista.com>,
"Paolo Bonzini" <pbonzini@redhat.com>
Cc: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] hw/i2c/smbus_eeprom: Create at most SMBUS_EEPROM_MAX EEPROMs on a SMBus
Date: Fri, 16 Nov 2018 17:48:45 -0600 [thread overview]
Message-ID: <01bb4878-5da6-12e3-31e5-254137a059d9@gmail.com> (raw)
In-Reply-To: <20181115230546.27375-1-philmd@redhat.com>
On 11/15/18 5:05 PM, Philippe Mathieu-Daudé wrote:
> Calling smbus_eeprom_init() with more than 8 EEPROMs would lead to a
> heap overflow.
> Replace the '8' magic number by a definition, and check no more than
> this number are created.
This looks like a good idea. I have it in my tree.
Thanks,
-corey
> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> ---
> Based-on: 20181115192446.17187-1-minyard@acm.org
> "RFC v2: Fix/add vmstate handling in some I2C code"
> ---
> hw/i2c/smbus_eeprom.c | 13 +++++++++++--
> include/hw/i2c/smbus_eeprom.h | 4 +++-
> 2 files changed, 14 insertions(+), 3 deletions(-)
>
> diff --git a/hw/i2c/smbus_eeprom.c b/hw/i2c/smbus_eeprom.c
> index d0a8d63869..de3a492df4 100644
> --- a/hw/i2c/smbus_eeprom.c
> +++ b/hw/i2c/smbus_eeprom.c
> @@ -23,6 +23,7 @@
> */
>
> #include "qemu/osdep.h"
> +#include "qemu/error-report.h"
> #include "hw/hw.h"
> #include "hw/boards.h"
> #include "hw/i2c/i2c.h"
> @@ -163,12 +164,20 @@ void smbus_eeprom_init_one(I2CBus *smbus, uint8_t address, uint8_t *eeprom_buf)
> qdev_init_nofail(dev);
> }
>
> -void smbus_eeprom_init(I2CBus *smbus, int nb_eeprom,
> +void smbus_eeprom_init(I2CBus *smbus, unsigned int nb_eeprom,
> const uint8_t *eeprom_spd, int eeprom_spd_size)
> {
> int i;
> + uint8_t *eeprom_buf;
> +
> + if (nb_eeprom > SMBUS_EEPROM_MAX) {
> + error_report("At most %u EEPROM are supported on a SMBus.",
> + SMBUS_EEPROM_MAX);
> + exit(1);
> + }
> +
> /* XXX: make this persistent */
> - uint8_t *eeprom_buf = g_malloc0(8 * SMBUS_EEPROM_SIZE);
> + eeprom_buf = g_malloc0(nb_eeprom * SMBUS_EEPROM_SIZE);
> if (eeprom_spd_size > 0) {
> memcpy(eeprom_buf, eeprom_spd, eeprom_spd_size);
> }
> diff --git a/include/hw/i2c/smbus_eeprom.h b/include/hw/i2c/smbus_eeprom.h
> index 2f56e5dc4e..cc9d1cdba9 100644
> --- a/include/hw/i2c/smbus_eeprom.h
> +++ b/include/hw/i2c/smbus_eeprom.h
> @@ -4,8 +4,10 @@
>
> #include "hw/i2c/i2c.h"
>
> +#define SMBUS_EEPROM_MAX 8
> +
> void smbus_eeprom_init_one(I2CBus *bus, uint8_t address, uint8_t *eeprom_buf);
> -void smbus_eeprom_init(I2CBus *bus, int nb_eeprom,
> +void smbus_eeprom_init(I2CBus *bus, unsigned int nb_eeprom,
> const uint8_t *eeprom_spd, int size);
>
> #endif
prev parent reply other threads:[~2018-11-16 23:48 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-15 23:05 [Qemu-devel] [PATCH] hw/i2c/smbus_eeprom: Create at most SMBUS_EEPROM_MAX EEPROMs on a SMBus Philippe Mathieu-Daudé
2018-11-16 23:48 ` Corey Minyard [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=01bb4878-5da6-12e3-31e5-254137a059d9@gmail.com \
--to=tcminyard@gmail.com \
--cc=cminyard@mvista.com \
--cc=minyard@acm.org \
--cc=pbonzini@redhat.com \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).