From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:46268) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RVGvG-0008V2-Ck for qemu-devel@nongnu.org; Tue, 29 Nov 2011 01:12:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1RVGvE-0001ot-Jc for qemu-devel@nongnu.org; Tue, 29 Nov 2011 01:12:06 -0500 Received: from e23smtp03.au.ibm.com ([202.81.31.145]:58939) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RVGvE-0001mn-1V for qemu-devel@nongnu.org; Tue, 29 Nov 2011 01:12:04 -0500 Received: from /spool/local by e23smtp03.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 29 Nov 2011 06:06:34 +1000 Received: from d23av03.au.ibm.com (d23av03.au.ibm.com [9.190.234.97]) by d23relay05.au.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id pAT682iA3084422 for ; Tue, 29 Nov 2011 17:08:04 +1100 Received: from d23av03.au.ibm.com (loopback [127.0.0.1]) by d23av03.au.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id pAT6BRj5007746 for ; Tue, 29 Nov 2011 17:11:27 +1100 Date: Tue, 29 Nov 2011 17:11:13 +1100 From: David Gibson Message-ID: <20111129061113.GJ3508@truffala.fritz.box> References: <1321903504-24287-1-git-send-email-sw@weilnetz.de> <4ED3CA9D.4030202@weilnetz.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4ED3CA9D.4030202@weilnetz.de> Subject: Re: [Qemu-devel] [PATCH] pseries: Fix possible out-of-bounds error List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Stefan Weil Cc: Anthony Liguori , Alexander Graf , qemu-devel@nongnu.org On Mon, Nov 28, 2011 at 06:53:33PM +0100, Stefan Weil wrote: > Am 21.11.2011 20:25, schrieb Stefan Weil: > >PCI_NUM_REGIONS is 7, ARRAY_SIZE(bars) is 6. Either bars must be > >extended by a 7th array element, or the loop which reads bars[i] > >must terminate before it tries to read bars[6]. > > > >For dev->io_regions[6].size == 0, the old code also works, > >but it is not obvious whether this is always true. > > > >This bug was detected by cppcheck. > > > >Cc: David Gibson > >Signed-off-by: Stefan Weil > >--- > > hw/spapr_pci.c | 2 +- > > 1 files changed, 1 insertions(+), 1 deletions(-) > > > >diff --git a/hw/spapr_pci.c b/hw/spapr_pci.c > >index 7162588..cefde38 100644 > >--- a/hw/spapr_pci.c > >+++ b/hw/spapr_pci.c > >@@ -454,7 +454,7 @@ int spapr_populate_pci_devices(sPAPRPHBState *phb, > > reg[0].size = 0; > > > > n = 0; > >- for (i = 0; i< PCI_NUM_REGIONS; ++i) { > >+ for (i = 0; i< PCI_NUM_REGIONS&& i< ARRAY_SIZE(bars); ++i) { > > if (0 == dev->io_regions[i].size) { > > continue; > > } > > Ping? Can this be fixed in QEMU 1.0? Sorry, for some reason I missed the initial post of this patch. Alexey who wrote most of the spapr_pci code actually found and fixed this already, but we had a bit of a miscommunication so I hadn't realised to send it upstream yet. I'll send a fix shortly for 1.0. -- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson