* [Qemu-devel] [PATCH] pcihp: fix possible array out of bounds
@ 2014-08-19 7:18 arei.gonglei
2014-08-19 14:59 ` Marcel Apfelbaum
2014-08-19 15:12 ` Peter Crosthwaite
0 siblings, 2 replies; 5+ messages in thread
From: arei.gonglei @ 2014-08-19 7:18 UTC (permalink / raw)
To: qemu-devel; +Cc: Gonglei, weidong.huang, mst
From: Gonglei <arei.gonglei@huawei.com>
When 'bsel == ACPI_PCIHP_MAX_HOTPLUG_BUS', the
s->acpi_pcihp_pci_status[bsel] array will out of bounds.
Add check for this.
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
---
hw/acpi/pcihp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c
index fae663a..34dedf1 100644
--- a/hw/acpi/pcihp.c
+++ b/hw/acpi/pcihp.c
@@ -231,7 +231,7 @@ static uint64_t pci_read(void *opaque, hwaddr addr, unsigned int size)
uint32_t val = 0;
int bsel = s->hotplug_select;
- if (bsel < 0 || bsel > ACPI_PCIHP_MAX_HOTPLUG_BUS) {
+ if (bsel < 0 || bsel >= ACPI_PCIHP_MAX_HOTPLUG_BUS) {
return 0;
}
--
1.7.12.4
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [Qemu-devel] [PATCH] pcihp: fix possible array out of bounds
2014-08-19 7:18 [Qemu-devel] [PATCH] pcihp: fix possible array out of bounds arei.gonglei
@ 2014-08-19 14:59 ` Marcel Apfelbaum
2014-08-20 2:22 ` Gonglei (Arei)
2014-08-19 15:12 ` Peter Crosthwaite
1 sibling, 1 reply; 5+ messages in thread
From: Marcel Apfelbaum @ 2014-08-19 14:59 UTC (permalink / raw)
To: arei.gonglei; +Cc: weidong.huang, qemu-devel, mst
On Tue, 2014-08-19 at 15:18 +0800, arei.gonglei@huawei.com wrote:
> From: Gonglei <arei.gonglei@huawei.com>
>
> When 'bsel == ACPI_PCIHP_MAX_HOTPLUG_BUS', the
> s->acpi_pcihp_pci_status[bsel] array will out of bounds.
I would change the commit message to something like
"Prevent out-of-bounds array access on acpi_pcihp_pci_status.
Other than that, it looks OK to me.
Thanks,
Marcel
>
> Add check for this.
>
> Signed-off-by: Gonglei <arei.gonglei@huawei.com>
> ---
> hw/acpi/pcihp.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c
> index fae663a..34dedf1 100644
> --- a/hw/acpi/pcihp.c
> +++ b/hw/acpi/pcihp.c
> @@ -231,7 +231,7 @@ static uint64_t pci_read(void *opaque, hwaddr addr, unsigned int size)
> uint32_t val = 0;
> int bsel = s->hotplug_select;
>
> - if (bsel < 0 || bsel > ACPI_PCIHP_MAX_HOTPLUG_BUS) {
> + if (bsel < 0 || bsel >= ACPI_PCIHP_MAX_HOTPLUG_BUS) {
> return 0;
> }
>
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [Qemu-devel] [PATCH] pcihp: fix possible array out of bounds
2014-08-19 14:59 ` Marcel Apfelbaum
@ 2014-08-20 2:22 ` Gonglei (Arei)
0 siblings, 0 replies; 5+ messages in thread
From: Gonglei (Arei) @ 2014-08-20 2:22 UTC (permalink / raw)
To: marcel.a@redhat.com
Cc: Huangweidong (C), qemu-devel@nongnu.org, mst@redhat.com
> -----Original Message-----
> From: Marcel Apfelbaum [mailto:marcel.apfelbaum@gmail.com]
> Sent: Tuesday, August 19, 2014 11:00 PM
> To: Gonglei (Arei)
> Cc: qemu-devel@nongnu.org; Huangweidong (C); mst@redhat.com
> Subject: Re: [Qemu-devel] [PATCH] pcihp: fix possible array out of bounds
>
> On Tue, 2014-08-19 at 15:18 +0800, arei.gonglei@huawei.com wrote:
> > From: Gonglei <arei.gonglei@huawei.com>
> >
> > When 'bsel == ACPI_PCIHP_MAX_HOTPLUG_BUS', the
> > s->acpi_pcihp_pci_status[bsel] array will out of bounds.
> I would change the commit message to something like
> "Prevent out-of-bounds array access on acpi_pcihp_pci_status.
>
> Other than that, it looks OK to me.
> Thanks,
> Marcel
>
OK, it's better, thanks. V2 will be posted.
Best regards,
-Gonglei
> >
> > Add check for this.
> >
> > Signed-off-by: Gonglei <arei.gonglei@huawei.com>
> > ---
> > hw/acpi/pcihp.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c
> > index fae663a..34dedf1 100644
> > --- a/hw/acpi/pcihp.c
> > +++ b/hw/acpi/pcihp.c
> > @@ -231,7 +231,7 @@ static uint64_t pci_read(void *opaque, hwaddr addr,
> unsigned int size)
> > uint32_t val = 0;
> > int bsel = s->hotplug_select;
> >
> > - if (bsel < 0 || bsel > ACPI_PCIHP_MAX_HOTPLUG_BUS) {
> > + if (bsel < 0 || bsel >= ACPI_PCIHP_MAX_HOTPLUG_BUS) {
> > return 0;
> > }
> >
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH] pcihp: fix possible array out of bounds
2014-08-19 7:18 [Qemu-devel] [PATCH] pcihp: fix possible array out of bounds arei.gonglei
2014-08-19 14:59 ` Marcel Apfelbaum
@ 2014-08-19 15:12 ` Peter Crosthwaite
2014-08-20 2:24 ` Gonglei (Arei)
1 sibling, 1 reply; 5+ messages in thread
From: Peter Crosthwaite @ 2014-08-19 15:12 UTC (permalink / raw)
To: gonglei
Cc: Huangweidong (C), qemu-devel@nongnu.org Developers,
Michael S. Tsirkin
On Tue, Aug 19, 2014 at 5:18 PM, <arei.gonglei@huawei.com> wrote:
> From: Gonglei <arei.gonglei@huawei.com>
>
> When 'bsel == ACPI_PCIHP_MAX_HOTPLUG_BUS', the
> s->acpi_pcihp_pci_status[bsel] array will out of bounds.
>
> Add check for this.
>
> Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
> ---
> hw/acpi/pcihp.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c
> index fae663a..34dedf1 100644
> --- a/hw/acpi/pcihp.c
> +++ b/hw/acpi/pcihp.c
> @@ -231,7 +231,7 @@ static uint64_t pci_read(void *opaque, hwaddr addr, unsigned int size)
> uint32_t val = 0;
> int bsel = s->hotplug_select;
>
> - if (bsel < 0 || bsel > ACPI_PCIHP_MAX_HOTPLUG_BUS) {
> + if (bsel < 0 || bsel >= ACPI_PCIHP_MAX_HOTPLUG_BUS) {
> return 0;
> }
>
> --
> 1.7.12.4
>
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [Qemu-devel] [PATCH] pcihp: fix possible array out of bounds
2014-08-19 15:12 ` Peter Crosthwaite
@ 2014-08-20 2:24 ` Gonglei (Arei)
0 siblings, 0 replies; 5+ messages in thread
From: Gonglei (Arei) @ 2014-08-20 2:24 UTC (permalink / raw)
To: Peter Crosthwaite
Cc: Huangweidong (C), qemu-devel@nongnu.org Developers,
Michael S. Tsirkin
> -----Original Message-----
> From: peter.crosthwaite@petalogix.com
> [mailto:peter.crosthwaite@petalogix.com] On Behalf Of Peter Crosthwaite
> Sent: Tuesday, August 19, 2014 11:12 PM
> To: Gonglei (Arei)
> Cc: qemu-devel@nongnu.org Developers; Huangweidong (C); Michael S. Tsirkin
> Subject: Re: [Qemu-devel] [PATCH] pcihp: fix possible array out of bounds
>
> On Tue, Aug 19, 2014 at 5:18 PM, <arei.gonglei@huawei.com> wrote:
> > From: Gonglei <arei.gonglei@huawei.com>
> >
> > When 'bsel == ACPI_PCIHP_MAX_HOTPLUG_BUS', the
> > s->acpi_pcihp_pci_status[bsel] array will out of bounds.
> >
> > Add check for this.
> >
> > Signed-off-by: Gonglei <arei.gonglei@huawei.com>
>
> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
>
Thanks.
Best regards,
-Gonglei
> > ---
> > hw/acpi/pcihp.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c
> > index fae663a..34dedf1 100644
> > --- a/hw/acpi/pcihp.c
> > +++ b/hw/acpi/pcihp.c
> > @@ -231,7 +231,7 @@ static uint64_t pci_read(void *opaque, hwaddr addr,
> unsigned int size)
> > uint32_t val = 0;
> > int bsel = s->hotplug_select;
> >
> > - if (bsel < 0 || bsel > ACPI_PCIHP_MAX_HOTPLUG_BUS) {
> > + if (bsel < 0 || bsel >= ACPI_PCIHP_MAX_HOTPLUG_BUS) {
> > return 0;
> > }
> >
> > --
> > 1.7.12.4
> >
> >
> >
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-08-20 2:25 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-08-19 7:18 [Qemu-devel] [PATCH] pcihp: fix possible array out of bounds arei.gonglei
2014-08-19 14:59 ` Marcel Apfelbaum
2014-08-20 2:22 ` Gonglei (Arei)
2014-08-19 15:12 ` Peter Crosthwaite
2014-08-20 2:24 ` Gonglei (Arei)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).