From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from [140.186.70.92] (port=57375 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1OHdts-00058j-T1
	for qemu-devel@nongnu.org; Thu, 27 May 2010 10:17:34 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69)
	(envelope-from <mst@redhat.com>) id 1OHdtr-0007Zs-OX
	for qemu-devel@nongnu.org; Thu, 27 May 2010 10:17:32 -0400
Received: from mx1.redhat.com ([209.132.183.28]:12878)
	by eggs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <mst@redhat.com>) id 1OHdtr-0007Zm-Gy
	for qemu-devel@nongnu.org; Thu, 27 May 2010 10:17:31 -0400
Date: Thu, 27 May 2010 17:13:16 +0300
From: "Michael S. Tsirkin" <mst@redhat.com>
Message-ID: <20100527141316.GB8287@redhat.com>
References: <20100527054442.GI31807@valinux.co.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20100527054442.GI31807@valinux.co.jp>
Subject: [Qemu-devel] Re: [PATCH] pci: fix pci_default_read_config().
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Isaku Yamahata <yamahata@valinux.co.jp>
Cc: qemu-devel@nongnu.org

On Thu, May 27, 2010 at 02:44:42PM +0900, Isaku Yamahata wrote:
> address and config_size are both unsigned.
> So check which is bigger before minus operation.
> Otherwise the result of minus can be unexpected
> big value.
> 
> Signed-off-by: Isaku Yamahata <yamahata@valinux.co.jp>

An this happen in practice? If yes, how?

> ---
>  hw/pci.c |    9 +++++++--
>  1 files changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/hw/pci.c b/hw/pci.c
> index 3362842..39a6206 100644
> --- a/hw/pci.c
> +++ b/hw/pci.c
> @@ -988,9 +988,14 @@ uint32_t pci_default_read_config(PCIDevice *d,
>                                   uint32_t address, int len)
>  {
>      uint32_t val = 0;
> +    uint32_t config_size = pci_config_size(d);
>      assert(len == 1 || len == 2 || len == 4);
> -    len = MIN(len, pci_config_size(d) - address);
> -    memcpy(&val, d->config + address, len);
> +    if (address < config_size) {
> +        len = MIN(len, config_size - address);
> +        memcpy(&val, d->config + address, len);
> +    } else {
> +        val = ~0;
> +    }
>      return le32_to_cpu(val);
>  }
>  
> -- 
> 1.6.6.1
>