From: Scott Wood <scottwood@freescale.com>
To: Alexander Graf <agraf@suse.de>
Cc: Liu Yu <yu.liu@freescale.com>,
qemu-ppc@nongnu.org,
qemu-devel Developers <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] [Qemu-ppc] [PATCH] ppc/e500_pci: Fix an array overflow issue
Date: Tue, 27 Sep 2011 11:52:39 -0500 [thread overview]
Message-ID: <4E81FF57.7070206@freescale.com> (raw)
In-Reply-To: <B9CF1C26-008E-476C-830A-6E7352860BE8@suse.de>
On 09/27/2011 07:45 AM, Alexander Graf wrote:
> On 27.09.2011, at 10:17, Liu Yu wrote:
>> ---
>> hw/ppce500_pci.c | 26 ++++++++++++++++----------
>> 1 files changed, 16 insertions(+), 10 deletions(-)
>>
>> diff --git a/hw/ppce500_pci.c b/hw/ppce500_pci.c
>> index 2db365d..3e24e85 100644
>> --- a/hw/ppce500_pci.c
>> +++ b/hw/ppce500_pci.c
>> @@ -108,15 +108,18 @@ static uint32_t pci_reg_read4(void *opaque, target_phys_addr_t addr)
>>
>> case PPCE500_PCI_IW3:
>> case PPCE500_PCI_IW2:
>> - case PPCE500_PCI_IW1:
>> + case PPCE500_PCI_IW1: {
>> + int idx = ((addr >> 5) & 0x3) - 1;
>
> So this is the main change, right? Why the -1? A guest could potentially access pib[-1] using this, no?
Not with the values of addr that lead to this code. The -1 is because
IW1/2/3 are 0x1e0/0x1c0/0x1a0. Previously IW1 would overflow the array.
>> switch (addr & 0xC) {
>> - case PCI_PITAR: value = pci->pib[(addr >> 5) & 0x3].pitar; break;
>> - case PCI_PIWBAR: value = pci->pib[(addr >> 5) & 0x3].piwbar; break;
>> - case PCI_PIWBEAR: value = pci->pib[(addr >> 5) & 0x3].piwbear; break;
>> - case PCI_PIWAR: value = pci->pib[(addr >> 5) & 0x3].piwar; break;
>> + case PCI_PITAR: value = pci->pib[idx].pitar; break;
>> + case PCI_PIWBAR: value = pci->pib[idx].piwbar; break;
>> + case PCI_PIWBEAR: value = pci->pib[idx].piwbear; break;
>> + case PCI_PIWAR: value = pci->pib[idx].piwar; break;
>
> I'm fairly sure this breaks checkpatch.pl.
So does the original code...
If this is to be fixed, the outbound window switch should be fixed too
(and made to use idx, for consistency).
-Scott
next prev parent reply other threads:[~2011-09-27 16:53 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-27 8:17 [Qemu-devel] [PATCH] ppc/e500_pci: Fix an array overflow issue Liu Yu
2011-09-27 12:45 ` Alexander Graf
2011-09-27 16:52 ` Scott Wood [this message]
2011-09-27 17:01 ` [Qemu-devel] [Qemu-ppc] " Alexander Graf
2011-09-27 17:04 ` Richard Henderson
2011-09-27 17:04 ` Alexander Graf
2011-09-27 17:06 ` Scott Wood
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E81FF57.7070206@freescale.com \
--to=scottwood@freescale.com \
--cc=agraf@suse.de \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
--cc=yu.liu@freescale.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).