From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:38933)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <yamahata@valinux.co.jp>) id 1QmKwN-0005fg-Hu
	for qemu-devel@nongnu.org; Thu, 28 Jul 2011 03:23:32 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <yamahata@valinux.co.jp>) id 1QmKwM-0001Aa-BC
	for qemu-devel@nongnu.org; Thu, 28 Jul 2011 03:23:31 -0400
Received: from mail.valinux.co.jp ([210.128.90.3]:47896)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <yamahata@valinux.co.jp>) id 1QmKwL-00019z-LM
	for qemu-devel@nongnu.org; Thu, 28 Jul 2011 03:23:30 -0400
Date: Thu, 28 Jul 2011 16:23:24 +0900
From: Isaku Yamahata <yamahata@valinux.co.jp>
Message-ID: <20110728072324.GF14976@valinux.co.jp>
References: <4E2858C2.5050909@siemens.com> <20110722052707.GA8241@redhat.com>
	<4E293D3D.8070904@siemens.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4E293D3D.8070904@siemens.com>
Subject: Re: [Qemu-devel] [PATCH v2] pci: Common overflow prevention
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Jan Kiszka <jan.kiszka@siemens.com>
Cc: qemu-devel <qemu-devel@nongnu.org>, "Michael S. Tsirkin" <mst@redhat.com>

This might be a bit late comment...

On Fri, Jul 22, 2011 at 11:05:01AM +0200, Jan Kiszka wrote:
> diff --git a/hw/pci_host.c b/hw/pci_host.c
> index 728e2d4..bfdc321 100644
> --- a/hw/pci_host.c
> +++ b/hw/pci_host.c
> @@ -47,17 +47,33 @@ static inline PCIDevice *pci_dev_find_by_addr(PCIBus *bus, uint32_t addr)
>      return pci_find_device(bus, bus_num, devfn);
>  }
>  
> +void pci_config_write_common(PCIDevice *pci_dev, uint32_t addr,
> +                             uint32_t limit, uint32_t val, uint32_t len)
> +{
> +    assert(len <= 4);
> +    pci_dev->config_write(pci_dev, addr, val, MIN(len, limit - addr));
> +}
> +
> +uint32_t pci_config_read_common(PCIDevice *pci_dev, uint32_t addr,
> +                                uint32_t limit, uint32_t len)
> +{
> +    assert(len <= 4);
> +    return pci_dev->config_read(pci_dev, addr, MIN(len, limit - addr));
> +}
> +

Since limit and addr is unsigned, MIN(len, limit - addr) = len if limit < addr.
So we need explicit "if (limit < addr) return;".
Here's the patch for pci branch.

>>From 75c1a2b47c93ad987cd7a37fb62bda9a59f27948 Mon Sep 17 00:00:00 2001
Message-Id: <75c1a2b47c93ad987cd7a37fb62bda9a59f27948.1311837763.git.yamahata@valinux.co.jp>
From: Isaku Yamahata <yamahata@valinux.co.jp>
Date: Thu, 28 Jul 2011 16:20:28 +0900
Subject: [PATCH] pci/host: limit check of pci_host_config_read/write_common

This patch adds boundary check in pci_host_config_read/write_common()
Since limit and addr is unsigned, MIN(len, limit - addr) = len if limit < addr.
So we need explicit "if (limit <= addr) return;"

Signed-off-by: Isaku Yamahata <yamahata@valinux.co.jp>
---
 hw/pci_host.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/hw/pci_host.c b/hw/pci_host.c
index 2e8a29f..71fd3a1 100644
--- a/hw/pci_host.c
+++ b/hw/pci_host.c
@@ -51,6 +51,9 @@ void pci_host_config_write_common(PCIDevice *pci_dev, uint32_t addr,
                                   uint32_t limit, uint32_t val, uint32_t len)
 {
     assert(len <= 4);
+    if (limit <= addr) {
+        return;
+    }
     pci_dev->config_write(pci_dev, addr, val, MIN(len, limit - addr));
 }
 
@@ -58,6 +61,9 @@ uint32_t pci_host_config_read_common(PCIDevice *pci_dev, uint32_t addr,
                                      uint32_t limit, uint32_t len)
 {
     assert(len <= 4);
+    if (limit <= addr) {
+        return 0;
+    }
     return pci_dev->config_read(pci_dev, addr, MIN(len, limit - addr));
 }
 
-- 
1.7.1.1

-- 
yamahata