From: Alexander Graf <agraf@suse.de>
To: qemu-ppc@nongnu.org
Cc: peter.maydell@linaro.org,
Samuel Mendoza-Jonas <sam.mj@au1.ibm.com>,
qemu-devel@nongnu.org
Subject: [Qemu-devel] [PULL 14/37] spapr: Fix integer overflow during migration (TCG)
Date: Wed, 7 Jan 2015 16:20:25 +0100 [thread overview]
Message-ID: <1420644048-16919-15-git-send-email-agraf@suse.de> (raw)
In-Reply-To: <1420644048-16919-1-git-send-email-agraf@suse.de>
From: Samuel Mendoza-Jonas <sam.mj@au1.ibm.com>
The n_valid and n_invalid fields are unsigned short integers but it is
possible to have more than 65535 entries in a contiguous hunk, overflowing
the field. This results in an incorrect HTAB being sent to the destination
during migration.
Signed-off-by: Samuel Mendoza-Jonas <sam.mj@au1.ibm.com>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Alexander Graf <agraf@suse.de>
---
hw/ppc/spapr.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 869b721..765a44c 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -1065,7 +1065,7 @@ static void htab_save_first_pass(QEMUFile *f, sPAPREnvironment *spapr,
/* Consume valid HPTEs */
chunkstart = index;
- while ((index < htabslots)
+ while ((index < htabslots) && (index - chunkstart < USHRT_MAX)
&& HPTE_VALID(HPTE(spapr->htab, index))) {
index++;
CLEAN_HPTE(HPTE(spapr->htab, index));
@@ -1117,7 +1117,7 @@ static int htab_save_later_pass(QEMUFile *f, sPAPREnvironment *spapr,
chunkstart = index;
/* Consume valid dirty HPTEs */
- while ((index < htabslots)
+ while ((index < htabslots) && (index - chunkstart < USHRT_MAX)
&& HPTE_DIRTY(HPTE(spapr->htab, index))
&& HPTE_VALID(HPTE(spapr->htab, index))) {
CLEAN_HPTE(HPTE(spapr->htab, index));
@@ -1127,7 +1127,7 @@ static int htab_save_later_pass(QEMUFile *f, sPAPREnvironment *spapr,
invalidstart = index;
/* Consume invalid dirty HPTEs */
- while ((index < htabslots)
+ while ((index < htabslots) && (index - invalidstart < USHRT_MAX)
&& HPTE_DIRTY(HPTE(spapr->htab, index))
&& !HPTE_VALID(HPTE(spapr->htab, index))) {
CLEAN_HPTE(HPTE(spapr->htab, index));
--
1.8.1.4
next prev parent reply other threads:[~2015-01-07 15:21 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-07 15:20 [Qemu-devel] [PULL 00/37] ppc patch queue 2015-01-07 Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 01/37] PPC: e500: Move CCSR definition to params Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 02/37] PPC: e500: Move CCSR and MMIO space to upper end of address space Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 03/37] PPC: mpc8554ds: Tell user about exceeding RAM limits Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 04/37] PPC: e500 pci host: Add support for ATMUs Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 05/37] target-ppc: Load/Store Vector Element Storage Alignment Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 06/37] target-ppc: VXSQRT Should Not Be Set for NaNs Alexander Graf
2015-02-12 22:21 ` Maciej W. Rozycki
2015-02-13 14:28 ` Tom Musta
2015-02-13 23:35 ` Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 07/37] target-ppc: Fix Floating Point Move Instructions That Set CR1 Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 08/37] target-ppc: mffs. Should Set CR1 from FPSCR Bits Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 09/37] target-ppc: Fully Migrate to gen_set_cr1_from_fpscr Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 10/37] target-ppc: Eliminate set_fprf Argument From gen_compute_fprf Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 11/37] target-ppc: Eliminate set_fprf Argument From helper_compute_fprf Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 12/37] target-ppc: explicitly save page table headers in big endian Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 13/37] spapr: Fix stale HTAB during live migration (KVM) Alexander Graf
2015-01-07 15:20 ` Alexander Graf [this message]
2015-01-07 15:20 ` [Qemu-devel] [PULL 15/37] spapr: Fix stale HTAB during live migration (TCG) Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 16/37] device-tree: fix memory leak Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 17/37] ppc: do not use get_clock_realtime() Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 18/37] PPC: Fix crash on spapr_tce_table_finalize() Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 19/37] pseries: Update SLOF firmware image to 20141202 Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 20/37] target-ppc: Introduce Instruction Type for Transactional Memory Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 21/37] target-ppc: Introduce Feature Flag " Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 22/37] target-ppc: Introduce tm_enabled Bit to CPU State Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 23/37] target-ppc: Power8 Supports Transactional Memory Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 24/37] target-ppc: Introduce TEXASRU Bit Fields Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 25/37] target-ppc: Introduce tbegin Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 26/37] target-ppc: Introduce TM Noops Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 27/37] target-ppc: Introduce tcheck Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 28/37] target-ppc: Introduce Privileged TM Noops Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 29/37] PPC: e500: Fix GPIO controller interrupt number Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 30/37] target-ppc: Mark SR() and gen_sync_exception() as !CONFIG_USER_ONLY Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 31/37] target-ppc: Cast ssize_t to size_t before printing with %zx Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 32/37] hw/ppc: modified the condition for usb controllers to be created for some ppc machines Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 33/37] hw/machine: added machine_usb wrapper Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 34/37] hw/usb: simplified usb_enabled Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 35/37] hw/ppc/mac_newworld: QOMified mac99 machines Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 36/37] hw/ppc/spapr: simplify usb controller creation logic Alexander Graf
2015-01-07 15:20 ` [Qemu-devel] [PULL 37/37] hw/ppc/mac_newworld: " Alexander Graf
2015-01-10 21:02 ` [Qemu-devel] [PULL 00/37] ppc patch queue 2015-01-07 Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1420644048-16919-15-git-send-email-agraf@suse.de \
--to=agraf@suse.de \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
--cc=sam.mj@au1.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).