From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:42262)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <afaerber@suse.de>) id 1UmvfX-000897-SA
	for qemu-devel@nongnu.org; Wed, 12 Jun 2013 20:45:41 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <afaerber@suse.de>) id 1UmvfV-0005Ty-F9
	for qemu-devel@nongnu.org; Wed, 12 Jun 2013 20:45:39 -0400
Received: from cantor2.suse.de ([195.135.220.15]:32914 helo=mx2.suse.de)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <afaerber@suse.de>) id 1UmvfV-0005Tk-97
	for qemu-devel@nongnu.org; Wed, 12 Jun 2013 20:45:37 -0400
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Thu, 13 Jun 2013 02:45:14 +0200
Message-Id: <1371084329-814-3-git-send-email-afaerber@suse.de>
In-Reply-To: <1371084329-814-1-git-send-email-afaerber@suse.de>
References: <1371084329-814-1-git-send-email-afaerber@suse.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: [Qemu-devel] [PULL 02/17] pc: Fix crash when attempting to hotplug
	CPU with negative ID
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: Igor Mammedov <imammedo@redhat.com>, Anthony Liguori <aliguori@us.ibm.com>, =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>

From: Igor Mammedov <imammedo@redhat.com>

QMP command "{ 'execute': 'cpu-add', 'arguments': { 'id': -1 }}" may caus=
e
QEMU SIGSEGV at:
 piix4_cpu_hotplug_req ()
    ...
    g->sts[cpu_id / 8] |=3D (1 << (cpu_id % 8));
    ...

Since for PC in current implementation id should be in range [0...maxcpus=
)
and maxcpus is already checked, add check for lower bound and error out
on incorrect value.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Andreas F=C3=A4rber <afaerber@suse.de>
---
 hw/i386/pc.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 4844a6b..553becb 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -927,6 +927,11 @@ void pc_hot_add_cpu(const int64_t id, Error **errp)
     DeviceState *icc_bridge;
     int64_t apic_id =3D x86_cpu_apic_id_from_index(id);
=20
+    if (id < 0) {
+        error_setg(errp, "Invalid CPU id: %" PRIi64, id);
+        return;
+    }
+
     if (cpu_exists(apic_id)) {
         error_setg(errp, "Unable to add CPU: %" PRIi64
                    ", it already exists", id);
--=20
1.8.1.4