[Qemu-devel] [PATCH] hw/i2c/smbus_eeprom: Create at most SMBUS_EEPROM

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH] hw/i2c/smbus_eeprom: Create at most SMBUS_EEPROM_MAX EEPROMs on a SMBus
@ 2018-11-15 23:05 Philippe Mathieu-Daudé
  2018-11-16 23:48 ` Corey Minyard
  0 siblings, 1 reply; 2+ messages in thread
From: Philippe Mathieu-Daudé @ 2018-11-15 23:05 UTC (permalink / raw)
  To: Corey Minyard, Paolo Bonzini; +Cc: Philippe Mathieu-Daudé, qemu-devel

Calling smbus_eeprom_init() with more than 8 EEPROMs would lead to a
heap overflow.
Replace the '8' magic number by a definition, and check no more than
this number are created.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
Based-on: 20181115192446.17187-1-minyard@acm.org
"RFC v2: Fix/add vmstate handling in some I2C code"
---
 hw/i2c/smbus_eeprom.c         | 13 +++++++++++--
 include/hw/i2c/smbus_eeprom.h |  4 +++-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/hw/i2c/smbus_eeprom.c b/hw/i2c/smbus_eeprom.c
index d0a8d63869..de3a492df4 100644
--- a/hw/i2c/smbus_eeprom.c
+++ b/hw/i2c/smbus_eeprom.c
@@ -23,6 +23,7 @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu/error-report.h"
 #include "hw/hw.h"
 #include "hw/boards.h"
 #include "hw/i2c/i2c.h"
@@ -163,12 +164,20 @@ void smbus_eeprom_init_one(I2CBus *smbus, uint8_t address, uint8_t *eeprom_buf)
     qdev_init_nofail(dev);
 }
 
-void smbus_eeprom_init(I2CBus *smbus, int nb_eeprom,
+void smbus_eeprom_init(I2CBus *smbus, unsigned int nb_eeprom,
                        const uint8_t *eeprom_spd, int eeprom_spd_size)
 {
     int i;
+    uint8_t *eeprom_buf;
+
+    if (nb_eeprom > SMBUS_EEPROM_MAX) {
+        error_report("At most %u EEPROM are supported on a SMBus.",
+                     SMBUS_EEPROM_MAX);
+        exit(1);
+    }
+
      /* XXX: make this persistent */
-    uint8_t *eeprom_buf = g_malloc0(8 * SMBUS_EEPROM_SIZE);
+    eeprom_buf = g_malloc0(nb_eeprom * SMBUS_EEPROM_SIZE);
     if (eeprom_spd_size > 0) {
         memcpy(eeprom_buf, eeprom_spd, eeprom_spd_size);
     }
diff --git a/include/hw/i2c/smbus_eeprom.h b/include/hw/i2c/smbus_eeprom.h
index 2f56e5dc4e..cc9d1cdba9 100644
--- a/include/hw/i2c/smbus_eeprom.h
+++ b/include/hw/i2c/smbus_eeprom.h
@@ -4,8 +4,10 @@
 
 #include "hw/i2c/i2c.h"
 
+#define SMBUS_EEPROM_MAX 8
+
 void smbus_eeprom_init_one(I2CBus *bus, uint8_t address, uint8_t *eeprom_buf);
-void smbus_eeprom_init(I2CBus *bus, int nb_eeprom,
+void smbus_eeprom_init(I2CBus *bus, unsigned int nb_eeprom,
                        const uint8_t *eeprom_spd, int size);
 
 #endif
-- 
2.17.2

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [Qemu-devel] [PATCH] hw/i2c/smbus_eeprom: Create at most SMBUS_EEPROM_MAX EEPROMs on a SMBus
  2018-11-15 23:05 [Qemu-devel] [PATCH] hw/i2c/smbus_eeprom: Create at most SMBUS_EEPROM_MAX EEPROMs on a SMBus Philippe Mathieu-Daudé
@ 2018-11-16 23:48 ` Corey Minyard
  0 siblings, 0 replies; 2+ messages in thread
From: Corey Minyard @ 2018-11-16 23:48 UTC (permalink / raw)
  To: Philippe Mathieu-Daudé, Corey Minyard, Paolo Bonzini; +Cc: qemu-devel

On 11/15/18 5:05 PM, Philippe Mathieu-Daudé wrote:
> Calling smbus_eeprom_init() with more than 8 EEPROMs would lead to a
> heap overflow.
> Replace the '8' magic number by a definition, and check no more than
> this number are created.

This looks like a good idea.  I have it in my tree.

Thanks,

-corey


> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> ---
> Based-on: 20181115192446.17187-1-minyard@acm.org
> "RFC v2: Fix/add vmstate handling in some I2C code"
> ---
>   hw/i2c/smbus_eeprom.c         | 13 +++++++++++--
>   include/hw/i2c/smbus_eeprom.h |  4 +++-
>   2 files changed, 14 insertions(+), 3 deletions(-)
>
> diff --git a/hw/i2c/smbus_eeprom.c b/hw/i2c/smbus_eeprom.c
> index d0a8d63869..de3a492df4 100644
> --- a/hw/i2c/smbus_eeprom.c
> +++ b/hw/i2c/smbus_eeprom.c
> @@ -23,6 +23,7 @@
>    */
>   
>   #include "qemu/osdep.h"
> +#include "qemu/error-report.h"
>   #include "hw/hw.h"
>   #include "hw/boards.h"
>   #include "hw/i2c/i2c.h"
> @@ -163,12 +164,20 @@ void smbus_eeprom_init_one(I2CBus *smbus, uint8_t address, uint8_t *eeprom_buf)
>       qdev_init_nofail(dev);
>   }
>   
> -void smbus_eeprom_init(I2CBus *smbus, int nb_eeprom,
> +void smbus_eeprom_init(I2CBus *smbus, unsigned int nb_eeprom,
>                          const uint8_t *eeprom_spd, int eeprom_spd_size)
>   {
>       int i;
> +    uint8_t *eeprom_buf;
> +
> +    if (nb_eeprom > SMBUS_EEPROM_MAX) {
> +        error_report("At most %u EEPROM are supported on a SMBus.",
> +                     SMBUS_EEPROM_MAX);
> +        exit(1);
> +    }
> +
>        /* XXX: make this persistent */
> -    uint8_t *eeprom_buf = g_malloc0(8 * SMBUS_EEPROM_SIZE);
> +    eeprom_buf = g_malloc0(nb_eeprom * SMBUS_EEPROM_SIZE);
>       if (eeprom_spd_size > 0) {
>           memcpy(eeprom_buf, eeprom_spd, eeprom_spd_size);
>       }
> diff --git a/include/hw/i2c/smbus_eeprom.h b/include/hw/i2c/smbus_eeprom.h
> index 2f56e5dc4e..cc9d1cdba9 100644
> --- a/include/hw/i2c/smbus_eeprom.h
> +++ b/include/hw/i2c/smbus_eeprom.h
> @@ -4,8 +4,10 @@
>   
>   #include "hw/i2c/i2c.h"
>   
> +#define SMBUS_EEPROM_MAX 8
> +
>   void smbus_eeprom_init_one(I2CBus *bus, uint8_t address, uint8_t *eeprom_buf);
> -void smbus_eeprom_init(I2CBus *bus, int nb_eeprom,
> +void smbus_eeprom_init(I2CBus *bus, unsigned int nb_eeprom,
>                          const uint8_t *eeprom_spd, int size);
>   
>   #endif

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2018-11-16 23:48 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-11-15 23:05 [Qemu-devel] [PATCH] hw/i2c/smbus_eeprom: Create at most SMBUS_EEPROM_MAX EEPROMs on a SMBus Philippe Mathieu-Daudé
2018-11-16 23:48 ` Corey Minyard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).