[Qemu-devel] [PATCH] pseries: Fix possible out-of-bounds error

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH] pseries: Fix possible out-of-bounds error
@ 2011-11-21 19:25 Stefan Weil
  2011-11-28 17:53 ` Stefan Weil
  0 siblings, 1 reply; 3+ messages in thread
From: Stefan Weil @ 2011-11-21 19:25 UTC (permalink / raw)
  To: qemu-devel; +Cc: Stefan Weil, Alexander Graf, David Gibson

PCI_NUM_REGIONS is 7, ARRAY_SIZE(bars) is 6. Either bars must be
extended by a 7th array element, or the loop which reads bars[i]
must terminate before it tries to read bars[6].

For dev->io_regions[6].size == 0, the old code also works,
but it is not obvious whether this is always true.

This bug was detected by cppcheck.

Cc: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefan Weil <sw@weilnetz.de>
---
 hw/spapr_pci.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/hw/spapr_pci.c b/hw/spapr_pci.c
index 7162588..cefde38 100644
--- a/hw/spapr_pci.c
+++ b/hw/spapr_pci.c
@@ -454,7 +454,7 @@ int spapr_populate_pci_devices(sPAPRPHBState *phb,
         reg[0].size = 0;
 
         n = 0;
-        for (i = 0; i < PCI_NUM_REGIONS; ++i) {
+        for (i = 0; i < PCI_NUM_REGIONS && i < ARRAY_SIZE(bars); ++i) {
             if (0 == dev->io_regions[i].size) {
                 continue;
             }
-- 
1.7.2.5

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [Qemu-devel] [PATCH] pseries: Fix possible out-of-bounds error
  2011-11-21 19:25 [Qemu-devel] [PATCH] pseries: Fix possible out-of-bounds error Stefan Weil
@ 2011-11-28 17:53 ` Stefan Weil
  2011-11-29  6:11   ` David Gibson
  0 siblings, 1 reply; 3+ messages in thread
From: Stefan Weil @ 2011-11-28 17:53 UTC (permalink / raw)
  To: Alexander Graf; +Cc: Anthony Liguori, qemu-devel, David Gibson

Am 21.11.2011 20:25, schrieb Stefan Weil:
> PCI_NUM_REGIONS is 7, ARRAY_SIZE(bars) is 6. Either bars must be
> extended by a 7th array element, or the loop which reads bars[i]
> must terminate before it tries to read bars[6].
>
> For dev->io_regions[6].size == 0, the old code also works,
> but it is not obvious whether this is always true.
>
> This bug was detected by cppcheck.
>
> Cc: David Gibson<david@gibson.dropbear.id.au>
> Signed-off-by: Stefan Weil<sw@weilnetz.de>
> ---
>   hw/spapr_pci.c |    2 +-
>   1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/hw/spapr_pci.c b/hw/spapr_pci.c
> index 7162588..cefde38 100644
> --- a/hw/spapr_pci.c
> +++ b/hw/spapr_pci.c
> @@ -454,7 +454,7 @@ int spapr_populate_pci_devices(sPAPRPHBState *phb,
>           reg[0].size = 0;
>
>           n = 0;
> -        for (i = 0; i<  PCI_NUM_REGIONS; ++i) {
> +        for (i = 0; i<  PCI_NUM_REGIONS&&  i<  ARRAY_SIZE(bars); ++i) {
>               if (0 == dev->io_regions[i].size) {
>                   continue;
>               }
>    

Ping? Can this be fixed in QEMU 1.0?

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [Qemu-devel] [PATCH] pseries: Fix possible out-of-bounds error
  2011-11-28 17:53 ` Stefan Weil
@ 2011-11-29  6:11   ` David Gibson
  0 siblings, 0 replies; 3+ messages in thread
From: David Gibson @ 2011-11-29  6:11 UTC (permalink / raw)
  To: Stefan Weil; +Cc: Anthony Liguori, Alexander Graf, qemu-devel

On Mon, Nov 28, 2011 at 06:53:33PM +0100, Stefan Weil wrote:
> Am 21.11.2011 20:25, schrieb Stefan Weil:
> >PCI_NUM_REGIONS is 7, ARRAY_SIZE(bars) is 6. Either bars must be
> >extended by a 7th array element, or the loop which reads bars[i]
> >must terminate before it tries to read bars[6].
> >
> >For dev->io_regions[6].size == 0, the old code also works,
> >but it is not obvious whether this is always true.
> >
> >This bug was detected by cppcheck.
> >
> >Cc: David Gibson<david@gibson.dropbear.id.au>
> >Signed-off-by: Stefan Weil<sw@weilnetz.de>
> >---
> >  hw/spapr_pci.c |    2 +-
> >  1 files changed, 1 insertions(+), 1 deletions(-)
> >
> >diff --git a/hw/spapr_pci.c b/hw/spapr_pci.c
> >index 7162588..cefde38 100644
> >--- a/hw/spapr_pci.c
> >+++ b/hw/spapr_pci.c
> >@@ -454,7 +454,7 @@ int spapr_populate_pci_devices(sPAPRPHBState *phb,
> >          reg[0].size = 0;
> >
> >          n = 0;
> >-        for (i = 0; i<  PCI_NUM_REGIONS; ++i) {
> >+        for (i = 0; i<  PCI_NUM_REGIONS&&  i<  ARRAY_SIZE(bars); ++i) {
> >              if (0 == dev->io_regions[i].size) {
> >                  continue;
> >              }
> 
> Ping? Can this be fixed in QEMU 1.0?

Sorry, for some reason I missed the initial post of this patch.

Alexey who wrote most of the spapr_pci code actually found and fixed
this already, but we had a bit of a miscommunication so I hadn't
realised to send it upstream yet.  I'll send a fix shortly for 1.0.

-- 
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2011-11-29  6:12 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-11-21 19:25 [Qemu-devel] [PATCH] pseries: Fix possible out-of-bounds error Stefan Weil
2011-11-28 17:53 ` Stefan Weil
2011-11-29  6:11   ` David Gibson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).