From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:35942)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pmorel@linux.vnet.ibm.com>) id 1a6xzg-0000L2-3T
	for qemu-devel@nongnu.org; Thu, 10 Dec 2015 04:58:36 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <pmorel@linux.vnet.ibm.com>) id 1a6xzc-0008IY-OH
	for qemu-devel@nongnu.org; Thu, 10 Dec 2015 04:58:36 -0500
Received: from e06smtp09.uk.ibm.com ([195.75.94.105]:52343)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pmorel@linux.vnet.ibm.com>) id 1a6xzc-0008HW-Do
	for qemu-devel@nongnu.org; Thu, 10 Dec 2015 04:58:32 -0500
Received: from localhost
	by e06smtp09.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
	Only! Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <pmorel@linux.vnet.ibm.com>;
	Thu, 10 Dec 2015 09:58:29 -0000
Received: from b06cxnps3074.portsmouth.uk.ibm.com
	(d06relay09.portsmouth.uk.ibm.com [9.149.109.194])
	by d06dlp02.portsmouth.uk.ibm.com (Postfix) with ESMTP id DB5932190067
	for <qemu-devel@nongnu.org>; Thu, 10 Dec 2015 09:58:18 +0000 (GMT)
Received: from d06av09.portsmouth.uk.ibm.com (d06av09.portsmouth.uk.ibm.com
	[9.149.37.250])
	by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with
	ESMTP id tBA9wQ1F10420708
	for <qemu-devel@nongnu.org>; Thu, 10 Dec 2015 09:58:26 GMT
Received: from d06av09.portsmouth.uk.ibm.com (localhost [127.0.0.1])
	by d06av09.portsmouth.uk.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with
	ESMTP id tBA9wQX8031717
	for <qemu-devel@nongnu.org>; Thu, 10 Dec 2015 02:58:26 -0700
From: Pierre Morel <pmorel@linux.vnet.ibm.com>
Date: Thu, 10 Dec 2015 10:58:25 +0100
Message-Id: <1449741505-5559-1-git-send-email-pmorel@linux.vnet.ibm.com>
Subject: [Qemu-devel] [PATCH] vfio/common: Check iova with limit not with
	size
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: pbonzini@redhat.com, alex.williamson@redhat.com, peter.maydell@linaro.org

In vfio_listener_region_add(), the code makes sure
that the offset in the section is lower than the size
of the section.
To do this the calculation uses size of the region
instead of the region limit (size - 1).

This leads to Int128 overflow when the region has
been initialized with UINT64_MAX.

Let's use the address limit of the region instead of the size.

Signed-off-by: Pierre Morel <pmorel@linux.vnet.ibm.com>
---
 hw/vfio/common.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/hw/vfio/common.c b/hw/vfio/common.c
index 85ee9b0..0da10d6 100644
--- a/hw/vfio/common.c
+++ b/hw/vfio/common.c
@@ -338,7 +338,7 @@ static void vfio_listener_region_add(MemoryListener *listener,
 
     iova = TARGET_PAGE_ALIGN(section->offset_within_address_space);
     llend = int128_make64(section->offset_within_address_space);
-    llend = int128_add(llend, section->size);
+    llend = int128_add(llend, int128_sub(section->size, int128_one()));
     llend = int128_and(llend, int128_exts64(TARGET_PAGE_MASK));
 
     if (int128_ge(int128_make64(iova), llend)) {
-- 
1.7.1