From: "Michael S. Tsirkin" <mst@redhat.com>
To: qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>,
Daniella Lee <daniellalee111@gmail.com>
Subject: [PULL 7/7] Fix bad overflow check in hw/pci/pcie.c
Date: Mon, 29 Nov 2021 08:51:31 -0500 [thread overview]
Message-ID: <20211129135053.560225-8-mst@redhat.com> (raw)
In-Reply-To: <20211129135053.560225-1-mst@redhat.com>
From: Daniella Lee <daniellalee111@gmail.com>
Orginal qemu commit hash:14d02cfbe4adaeebe7cb833a8cc71191352cf03b
In function pcie_add_capability, an assert contains the
"offset < offset + size" expression.
Both variable offset and variable size are uint16_t,
the comparison is always true due to type promotion.
The next expression may be the same.
It might be like this:
Thread 1 "qemu-system-x86" hit Breakpoint 1, pcie_add_capability (
dev=0x555557ce5f10, cap_id=1, cap_ver=2 '\002', offset=256, size=72)
at ../hw/pci/pcie.c:930
930 {
(gdb) n
931 assert(offset >= PCI_CONFIG_SPACE_SIZE);
(gdb) n
932 assert(offset < offset + size);
(gdb) p offset
$1 = 256
(gdb) p offset < offset + size
$2 = 1
(gdb) set offset=65533
(gdb) p offset < offset + size
$3 = 1
(gdb) p offset < (uint16_t)(offset + size)
$4 = 0
Signed-off-by: Daniella Lee <daniellalee111@gmail.com>
Message-Id: <20211126061324.47331-1-daniellalee111@gmail.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
hw/pci/pcie.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/pci/pcie.c b/hw/pci/pcie.c
index c5ed266337..d7d73a31e4 100644
--- a/hw/pci/pcie.c
+++ b/hw/pci/pcie.c
@@ -929,8 +929,8 @@ void pcie_add_capability(PCIDevice *dev,
uint16_t offset, uint16_t size)
{
assert(offset >= PCI_CONFIG_SPACE_SIZE);
- assert(offset < offset + size);
- assert(offset + size <= PCIE_CONFIG_SPACE_SIZE);
+ assert(offset < (uint16_t)(offset + size));
+ assert((uint16_t)(offset + size) <= PCIE_CONFIG_SPACE_SIZE);
assert(size >= 8);
assert(pci_is_express(dev));
--
MST
next prev parent reply other threads:[~2021-11-29 14:00 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-29 13:51 [PULL 0/7] virtio,pci,pc: bugfixes Michael S. Tsirkin
2021-11-29 13:51 ` [PULL 1/7] virtio-mmio : fix the crash in the vm shutdown Michael S. Tsirkin
2021-11-29 13:51 ` [PULL 2/7] failover: fix unplug pending detection Michael S. Tsirkin
2021-11-29 13:51 ` [PULL 3/7] vdpa: Add dummy receive callback Michael S. Tsirkin
2021-11-29 13:51 ` [PULL 4/7] virtio-balloon: process all in sgs for free_page_vq Michael S. Tsirkin
2021-11-29 13:51 ` [PULL 5/7] virtio-balloon: correct used length Michael S. Tsirkin
2021-11-29 13:51 ` [PULL 6/7] intel-iommu: ignore leaf SNP bit in scalable mode Michael S. Tsirkin
2021-11-29 13:51 ` Michael S. Tsirkin [this message]
2021-11-29 16:45 ` [PULL 0/7] virtio,pci,pc: bugfixes Richard Henderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211129135053.560225-8-mst@redhat.com \
--to=mst@redhat.com \
--cc=daniellalee111@gmail.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).