From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:43911)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefan@weilnetz.de>) id 1Wu0QE-0001e5-0v
	for qemu-devel@nongnu.org; Mon, 09 Jun 2014 10:19:42 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <stefan@weilnetz.de>) id 1Wu0Q9-0008LL-4G
	for qemu-devel@nongnu.org; Mon, 09 Jun 2014 10:19:37 -0400
Received: from qemu.weilnetz.de ([37.221.198.45]:41071)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefan@weilnetz.de>) id 1Wu0Q8-0008Ky-Uq
	for qemu-devel@nongnu.org; Mon, 09 Jun 2014 10:19:33 -0400
From: Stefan Weil <sw@weilnetz.de>
Date: Mon,  9 Jun 2014 16:19:29 +0200
Message-Id: <1402323569-30927-1-git-send-email-sw@weilnetz.de>
Subject: [Qemu-devel] [PATCH] apb: Fix out-of-bounds array write access
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>, Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>, Stefan Weil <sw@weilnetz.de>

The array regs is declared with IOMMU_NREGS (3) elements and accessed
using IOMMU_CTRL (0) and IOMMU_BASE (8). In most cases, those values
are right shifted before being used as an index which results in indices
0 and 1. In one case, this right shift was missing for IOMMU_BASE which
results in an out-of-bounds write access with index 8.

The patch adds the missing shift operation also for IOMMU_CTRL where
it is needed only for cosmetic reasons.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
---

Any reason why the array is declared with 3 elements when only the first 2
are used?

Regards,
Stefan

 hw/pci-host/apb.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hw/pci-host/apb.c b/hw/pci-host/apb.c
index 1497008..887338e 100644
--- a/hw/pci-host/apb.c
+++ b/hw/pci-host/apb.c
@@ -1,4 +1,4 @@
-/*
+re/*
  * QEMU Ultrasparc APB PCI host
  *
  * Copyright (c) 2006 Fabrice Bellard
@@ -333,7 +333,7 @@ static void iommu_config_write(void *opaque, hwaddr addr,
             is->regs[IOMMU_CTRL >> 3] &= 0xffffffffULL;
             is->regs[IOMMU_CTRL >> 3] |= val << 32;
         } else {
-            is->regs[IOMMU_CTRL] = val;
+            is->regs[IOMMU_CTRL >> 3] = val;
         }
         break;
     case IOMMU_CTRL + 0x4:
@@ -345,7 +345,7 @@ static void iommu_config_write(void *opaque, hwaddr addr,
             is->regs[IOMMU_BASE >> 3] &= 0xffffffffULL;
             is->regs[IOMMU_BASE >> 3] |= val << 32;
         } else {
-            is->regs[IOMMU_BASE] = val;
+            is->regs[IOMMU_BASE >> 3] = val;
         }
         break;
     case IOMMU_BASE + 0x4:
-- 
1.7.10.4