* [Qemu-devel] [PATCH] vfio/common: Check iova with limit not with size
@ 2015-12-10 9:58 Pierre Morel
0 siblings, 0 replies; only message in thread
From: Pierre Morel @ 2015-12-10 9:58 UTC (permalink / raw)
To: qemu-devel; +Cc: pbonzini, alex.williamson, peter.maydell
In vfio_listener_region_add(), the code makes sure
that the offset in the section is lower than the size
of the section.
To do this the calculation uses size of the region
instead of the region limit (size - 1).
This leads to Int128 overflow when the region has
been initialized with UINT64_MAX.
Let's use the address limit of the region instead of the size.
Signed-off-by: Pierre Morel <pmorel@linux.vnet.ibm.com>
---
hw/vfio/common.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/hw/vfio/common.c b/hw/vfio/common.c
index 85ee9b0..0da10d6 100644
--- a/hw/vfio/common.c
+++ b/hw/vfio/common.c
@@ -338,7 +338,7 @@ static void vfio_listener_region_add(MemoryListener *listener,
iova = TARGET_PAGE_ALIGN(section->offset_within_address_space);
llend = int128_make64(section->offset_within_address_space);
- llend = int128_add(llend, section->size);
+ llend = int128_add(llend, int128_sub(section->size, int128_one()));
llend = int128_and(llend, int128_exts64(TARGET_PAGE_MASK));
if (int128_ge(int128_make64(iova), llend)) {
--
1.7.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2015-12-10 9:58 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-12-10 9:58 [Qemu-devel] [PATCH] vfio/common: Check iova with limit not with size Pierre Morel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).