From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:51725) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1f5vLS-0002S0-Mt for qemu-devel@nongnu.org; Tue, 10 Apr 2018 11:38:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1f5vLR-0006GB-PV for qemu-devel@nongnu.org; Tue, 10 Apr 2018 11:38:06 -0400 From: Kevin Wolf Date: Tue, 10 Apr 2018 17:37:43 +0200 Message-Id: <20180410153748.22505-3-kwolf@redhat.com> In-Reply-To: <20180410153748.22505-1-kwolf@redhat.com> References: <20180410153748.22505-1-kwolf@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: [Qemu-devel] [PULL 2/7] hw/block/pflash_cfi: fix off-by-one error List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-block@nongnu.org Cc: kwolf@redhat.com, peter.maydell@linaro.org, qemu-devel@nongnu.org From: Philippe Mathieu-Daud=C3=A9 ASAN reported: hw/block/pflash_cfi02.c:245:33: runtime error: index 82 out of bounds= for type 'uint8_t [82]' Since the 'cfi_len' member is not used, remove it to keep the code safer. Cc: qemu-stable@nongnu.org Reported-by: AddressSanitizer Signed-off-by: Philippe Mathieu-Daud=C3=A9 Signed-off-by: Kevin Wolf --- hw/block/pflash_cfi01.c | 10 ++++------ hw/block/pflash_cfi02.c | 9 ++++----- 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/hw/block/pflash_cfi01.c b/hw/block/pflash_cfi01.c index 1113ab1ccf..2e8284001d 100644 --- a/hw/block/pflash_cfi01.c +++ b/hw/block/pflash_cfi01.c @@ -90,7 +90,6 @@ struct pflash_t { uint16_t ident1; uint16_t ident2; uint16_t ident3; - uint8_t cfi_len; uint8_t cfi_table[0x52]; uint64_t counter; unsigned int writeblock_size; @@ -153,7 +152,7 @@ static uint32_t pflash_cfi_query(pflash_t *pfl, hwadd= r offset) boff =3D offset >> (ctz32(pfl->bank_width) + ctz32(pfl->max_device_width) - ctz32(pfl->device_w= idth)); =20 - if (boff > pfl->cfi_len) { + if (boff >=3D sizeof(pfl->cfi_table)) { return 0; } /* Now we will construct the CFI response generated by a single @@ -385,10 +384,10 @@ static uint32_t pflash_read (pflash_t *pfl, hwaddr = offset, boff =3D boff >> 2; } =20 - if (boff > pfl->cfi_len) { - ret =3D 0; - } else { + if (boff < sizeof(pfl->cfi_table)) { ret =3D pfl->cfi_table[boff]; + } else { + ret =3D 0; } } else { /* If we have a read larger than the bank_width, combine mul= tiple @@ -791,7 +790,6 @@ static void pflash_cfi01_realize(DeviceState *dev, Er= ror **errp) pfl->cmd =3D 0; pfl->status =3D 0; /* Hardcoded CFI table */ - pfl->cfi_len =3D 0x52; /* Standard "QRY" string */ pfl->cfi_table[0x10] =3D 'Q'; pfl->cfi_table[0x11] =3D 'R'; diff --git a/hw/block/pflash_cfi02.c b/hw/block/pflash_cfi02.c index c81ddd3a99..75d1ae1026 100644 --- a/hw/block/pflash_cfi02.c +++ b/hw/block/pflash_cfi02.c @@ -83,7 +83,6 @@ struct pflash_t { uint16_t ident3; uint16_t unlock_addr0; uint16_t unlock_addr1; - uint8_t cfi_len; uint8_t cfi_table[0x52]; QEMUTimer *timer; /* The device replicates the flash memory across its memory space. = Emulate @@ -235,10 +234,11 @@ static uint32_t pflash_read (pflash_t *pfl, hwaddr = offset, break; case 0x98: /* CFI query mode */ - if (boff > pfl->cfi_len) - ret =3D 0; - else + if (boff < sizeof(pfl->cfi_table)) { ret =3D pfl->cfi_table[boff]; + } else { + ret =3D 0; + } break; } =20 @@ -663,7 +663,6 @@ static void pflash_cfi02_realize(DeviceState *dev, Er= ror **errp) pfl->cmd =3D 0; pfl->status =3D 0; /* Hardcoded CFI table (mostly from SG29 Spansion flash) */ - pfl->cfi_len =3D 0x52; /* Standard "QRY" string */ pfl->cfi_table[0x10] =3D 'Q'; pfl->cfi_table[0x11] =3D 'R'; --=20 2.13.6