* [Qemu-devel] [PATCH] ppc/e500_pci: Fix an array overflow issue
@ 2011-09-27 8:17 Liu Yu
2011-09-27 12:45 ` Alexander Graf
0 siblings, 1 reply; 7+ messages in thread
From: Liu Yu @ 2011-09-27 8:17 UTC (permalink / raw)
To: qemu-devel; +Cc: Liu Yu
Signed-off-by: Liu Yu <yu.liu@freescale.com>
---
hw/ppce500_pci.c | 26 ++++++++++++++++----------
1 files changed, 16 insertions(+), 10 deletions(-)
diff --git a/hw/ppce500_pci.c b/hw/ppce500_pci.c
index 2db365d..3e24e85 100644
--- a/hw/ppce500_pci.c
+++ b/hw/ppce500_pci.c
@@ -108,15 +108,18 @@ static uint32_t pci_reg_read4(void *opaque, target_phys_addr_t addr)
case PPCE500_PCI_IW3:
case PPCE500_PCI_IW2:
- case PPCE500_PCI_IW1:
+ case PPCE500_PCI_IW1: {
+ int idx = ((addr >> 5) & 0x3) - 1;
+
switch (addr & 0xC) {
- case PCI_PITAR: value = pci->pib[(addr >> 5) & 0x3].pitar; break;
- case PCI_PIWBAR: value = pci->pib[(addr >> 5) & 0x3].piwbar; break;
- case PCI_PIWBEAR: value = pci->pib[(addr >> 5) & 0x3].piwbear; break;
- case PCI_PIWAR: value = pci->pib[(addr >> 5) & 0x3].piwar; break;
+ case PCI_PITAR: value = pci->pib[idx].pitar; break;
+ case PCI_PIWBAR: value = pci->pib[idx].piwbar; break;
+ case PCI_PIWBEAR: value = pci->pib[idx].piwbear; break;
+ case PCI_PIWAR: value = pci->pib[idx].piwar; break;
default: break;
};
break;
+ }
case PPCE500_PCI_GASKET_TIMR:
value = pci->gasket_time;
@@ -164,15 +167,18 @@ static void pci_reg_write4(void *opaque, target_phys_addr_t addr,
case PPCE500_PCI_IW3:
case PPCE500_PCI_IW2:
- case PPCE500_PCI_IW1:
+ case PPCE500_PCI_IW1: {
+ int idx = ((addr >> 5) & 0x3) - 1;
+
switch (addr & 0xC) {
- case PCI_PITAR: pci->pib[(addr >> 5) & 0x3].pitar = value; break;
- case PCI_PIWBAR: pci->pib[(addr >> 5) & 0x3].piwbar = value; break;
- case PCI_PIWBEAR: pci->pib[(addr >> 5) & 0x3].piwbear = value; break;
- case PCI_PIWAR: pci->pib[(addr >> 5) & 0x3].piwar = value; break;
+ case PCI_PITAR: pci->pib[idx].pitar = value; break;
+ case PCI_PIWBAR: pci->pib[idx].piwbar = value; break;
+ case PCI_PIWBEAR: pci->pib[idx].piwbear = value; break;
+ case PCI_PIWAR: pci->pib[idx].piwar = value; break;
default: break;
};
break;
+ }
case PPCE500_PCI_GASKET_TIMR:
pci->gasket_time = value;
--
1.6.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] [PATCH] ppc/e500_pci: Fix an array overflow issue
2011-09-27 8:17 [Qemu-devel] [PATCH] ppc/e500_pci: Fix an array overflow issue Liu Yu
@ 2011-09-27 12:45 ` Alexander Graf
2011-09-27 16:52 ` [Qemu-devel] [Qemu-ppc] " Scott Wood
0 siblings, 1 reply; 7+ messages in thread
From: Alexander Graf @ 2011-09-27 12:45 UTC (permalink / raw)
To: Liu Yu; +Cc: qemu-ppc, qemu-devel Developers
On 27.09.2011, at 10:17, Liu Yu wrote:
> Signed-off-by: Liu Yu <yu.liu@freescale.com>
Patch description missing.
Also, please always CC qemu-ppc@nongnu.org for patches concerning ppc.
> ---
> hw/ppce500_pci.c | 26 ++++++++++++++++----------
> 1 files changed, 16 insertions(+), 10 deletions(-)
>
> diff --git a/hw/ppce500_pci.c b/hw/ppce500_pci.c
> index 2db365d..3e24e85 100644
> --- a/hw/ppce500_pci.c
> +++ b/hw/ppce500_pci.c
> @@ -108,15 +108,18 @@ static uint32_t pci_reg_read4(void *opaque, target_phys_addr_t addr)
>
> case PPCE500_PCI_IW3:
> case PPCE500_PCI_IW2:
> - case PPCE500_PCI_IW1:
> + case PPCE500_PCI_IW1: {
> + int idx = ((addr >> 5) & 0x3) - 1;
So this is the main change, right? Why the -1? A guest could potentially access pib[-1] using this, no?
> +
> switch (addr & 0xC) {
> - case PCI_PITAR: value = pci->pib[(addr >> 5) & 0x3].pitar; break;
> - case PCI_PIWBAR: value = pci->pib[(addr >> 5) & 0x3].piwbar; break;
> - case PCI_PIWBEAR: value = pci->pib[(addr >> 5) & 0x3].piwbear; break;
> - case PCI_PIWAR: value = pci->pib[(addr >> 5) & 0x3].piwar; break;
> + case PCI_PITAR: value = pci->pib[idx].pitar; break;
> + case PCI_PIWBAR: value = pci->pib[idx].piwbar; break;
> + case PCI_PIWBEAR: value = pci->pib[idx].piwbear; break;
> + case PCI_PIWAR: value = pci->pib[idx].piwar; break;
I'm fairly sure this breaks checkpatch.pl.
Alex
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] [Qemu-ppc] [PATCH] ppc/e500_pci: Fix an array overflow issue
2011-09-27 12:45 ` Alexander Graf
@ 2011-09-27 16:52 ` Scott Wood
2011-09-27 17:01 ` Alexander Graf
0 siblings, 1 reply; 7+ messages in thread
From: Scott Wood @ 2011-09-27 16:52 UTC (permalink / raw)
To: Alexander Graf; +Cc: Liu Yu, qemu-ppc, qemu-devel Developers
On 09/27/2011 07:45 AM, Alexander Graf wrote:
> On 27.09.2011, at 10:17, Liu Yu wrote:
>> ---
>> hw/ppce500_pci.c | 26 ++++++++++++++++----------
>> 1 files changed, 16 insertions(+), 10 deletions(-)
>>
>> diff --git a/hw/ppce500_pci.c b/hw/ppce500_pci.c
>> index 2db365d..3e24e85 100644
>> --- a/hw/ppce500_pci.c
>> +++ b/hw/ppce500_pci.c
>> @@ -108,15 +108,18 @@ static uint32_t pci_reg_read4(void *opaque, target_phys_addr_t addr)
>>
>> case PPCE500_PCI_IW3:
>> case PPCE500_PCI_IW2:
>> - case PPCE500_PCI_IW1:
>> + case PPCE500_PCI_IW1: {
>> + int idx = ((addr >> 5) & 0x3) - 1;
>
> So this is the main change, right? Why the -1? A guest could potentially access pib[-1] using this, no?
Not with the values of addr that lead to this code. The -1 is because
IW1/2/3 are 0x1e0/0x1c0/0x1a0. Previously IW1 would overflow the array.
>> switch (addr & 0xC) {
>> - case PCI_PITAR: value = pci->pib[(addr >> 5) & 0x3].pitar; break;
>> - case PCI_PIWBAR: value = pci->pib[(addr >> 5) & 0x3].piwbar; break;
>> - case PCI_PIWBEAR: value = pci->pib[(addr >> 5) & 0x3].piwbear; break;
>> - case PCI_PIWAR: value = pci->pib[(addr >> 5) & 0x3].piwar; break;
>> + case PCI_PITAR: value = pci->pib[idx].pitar; break;
>> + case PCI_PIWBAR: value = pci->pib[idx].piwbar; break;
>> + case PCI_PIWBEAR: value = pci->pib[idx].piwbear; break;
>> + case PCI_PIWAR: value = pci->pib[idx].piwar; break;
>
> I'm fairly sure this breaks checkpatch.pl.
So does the original code...
If this is to be fixed, the outbound window switch should be fixed too
(and made to use idx, for consistency).
-Scott
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] [Qemu-ppc] [PATCH] ppc/e500_pci: Fix an array overflow issue
2011-09-27 16:52 ` [Qemu-devel] [Qemu-ppc] " Scott Wood
@ 2011-09-27 17:01 ` Alexander Graf
2011-09-27 17:04 ` Richard Henderson
2011-09-27 17:06 ` Scott Wood
0 siblings, 2 replies; 7+ messages in thread
From: Alexander Graf @ 2011-09-27 17:01 UTC (permalink / raw)
To: Scott Wood; +Cc: Liu Yu, qemu-ppc, qemu-devel Developers
On 27.09.2011, at 18:52, Scott Wood wrote:
> On 09/27/2011 07:45 AM, Alexander Graf wrote:
>> On 27.09.2011, at 10:17, Liu Yu wrote:
>>> ---
>>> hw/ppce500_pci.c | 26 ++++++++++++++++----------
>>> 1 files changed, 16 insertions(+), 10 deletions(-)
>>>
>>> diff --git a/hw/ppce500_pci.c b/hw/ppce500_pci.c
>>> index 2db365d..3e24e85 100644
>>> --- a/hw/ppce500_pci.c
>>> +++ b/hw/ppce500_pci.c
>>> @@ -108,15 +108,18 @@ static uint32_t pci_reg_read4(void *opaque, target_phys_addr_t addr)
>>>
>>> case PPCE500_PCI_IW3:
>>> case PPCE500_PCI_IW2:
>>> - case PPCE500_PCI_IW1:
>>> + case PPCE500_PCI_IW1: {
>>> + int idx = ((addr >> 5) & 0x3) - 1;
>>
>> So this is the main change, right? Why the -1? A guest could potentially access pib[-1] using this, no?
>
> Not with the values of addr that lead to this code. The -1 is because
> IW1/2/3 are 0x1e0/0x1c0/0x1a0. Previously IW1 would overflow the array.
We're matching on addr & 0xfe0 and do the switch based on that. Possible values are:
0x1a0
0x1c0
0x1e0
Then we >> 5 them.
0xd
0xe
0xf
... and & 0x3 them
0x1
0x2
0x0
... and apply -1:
0x0
0x1
-1
>
>>> switch (addr & 0xC) {
>>> - case PCI_PITAR: value = pci->pib[(addr >> 5) & 0x3].pitar; break;
>>> - case PCI_PIWBAR: value = pci->pib[(addr >> 5) & 0x3].piwbar; break;
>>> - case PCI_PIWBEAR: value = pci->pib[(addr >> 5) & 0x3].piwbear; break;
>>> - case PCI_PIWAR: value = pci->pib[(addr >> 5) & 0x3].piwar; break;
>>> + case PCI_PITAR: value = pci->pib[idx].pitar; break;
>>> + case PCI_PIWBAR: value = pci->pib[idx].piwbar; break;
>>> + case PCI_PIWBEAR: value = pci->pib[idx].piwbear; break;
>>> + case PCI_PIWAR: value = pci->pib[idx].piwar; break;
>>
>> I'm fairly sure this breaks checkpatch.pl.
>
> So does the original code...
>
> If this is to be fixed, the outbound window switch should be fixed too
> (and made to use idx, for consistency).
Yes, please. My preferred way to do this would be to send a cleanup patch that fixes the coding style issues first (can be in the same patch set) and then another patch for functional changes on top. Makes it easier to review.
Alex
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] [Qemu-ppc] [PATCH] ppc/e500_pci: Fix an array overflow issue
2011-09-27 17:01 ` Alexander Graf
@ 2011-09-27 17:04 ` Richard Henderson
2011-09-27 17:04 ` Alexander Graf
2011-09-27 17:06 ` Scott Wood
1 sibling, 1 reply; 7+ messages in thread
From: Richard Henderson @ 2011-09-27 17:04 UTC (permalink / raw)
To: Alexander Graf; +Cc: Scott Wood, Liu Yu, qemu-ppc, qemu-devel Developers
On 09/27/2011 10:01 AM, Alexander Graf wrote:
> 0xd
> 0xe
> 0xf
>
> ... and & 0x3 them
>
> 0x1
> 0x2
> 0x0
That's a remarkably different AND function...
r~
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] [Qemu-ppc] [PATCH] ppc/e500_pci: Fix an array overflow issue
2011-09-27 17:04 ` Richard Henderson
@ 2011-09-27 17:04 ` Alexander Graf
0 siblings, 0 replies; 7+ messages in thread
From: Alexander Graf @ 2011-09-27 17:04 UTC (permalink / raw)
To: Richard Henderson; +Cc: Scott Wood, Liu Yu, qemu-ppc, qemu-devel Developers
On 27.09.2011, at 19:04, Richard Henderson wrote:
> On 09/27/2011 10:01 AM, Alexander Graf wrote:
>> 0xd
>> 0xe
>> 0xf
>>
>> ... and & 0x3 them
>>
>> 0x1
>> 0x2
>> 0x0
>
> That's a remarkably different AND function...
No, it's a typo. I typed % instead of & and didn't realize it. Bleks.
:)
Alex
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] [Qemu-ppc] [PATCH] ppc/e500_pci: Fix an array overflow issue
2011-09-27 17:01 ` Alexander Graf
2011-09-27 17:04 ` Richard Henderson
@ 2011-09-27 17:06 ` Scott Wood
1 sibling, 0 replies; 7+ messages in thread
From: Scott Wood @ 2011-09-27 17:06 UTC (permalink / raw)
To: Alexander Graf; +Cc: Liu Yu, qemu-ppc, qemu-devel Developers
On 09/27/2011 12:01 PM, Alexander Graf wrote:
>
> On 27.09.2011, at 18:52, Scott Wood wrote:
>
>> On 09/27/2011 07:45 AM, Alexander Graf wrote:
>>> So this is the main change, right? Why the -1? A guest could potentially access pib[-1] using this, no?
>>
>> Not with the values of addr that lead to this code. The -1 is because
>> IW1/2/3 are 0x1e0/0x1c0/0x1a0. Previously IW1 would overflow the array.
>
> We're matching on addr & 0xfe0 and do the switch based on that. Possible values are:
>
> 0x1a0
> 0x1c0
> 0x1e0
>
> Then we >> 5 them.
>
> 0xd
> 0xe
> 0xf
>
> ... and & 0x3 them
>
> 0x1
> 0x2
> 0x0
0xd & 0x3 = 1
0xe & 0x3 = 2
0xf & 0x3 = 3
-Scott
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2011-09-27 17:07 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-09-27 8:17 [Qemu-devel] [PATCH] ppc/e500_pci: Fix an array overflow issue Liu Yu
2011-09-27 12:45 ` Alexander Graf
2011-09-27 16:52 ` [Qemu-devel] [Qemu-ppc] " Scott Wood
2011-09-27 17:01 ` Alexander Graf
2011-09-27 17:04 ` Richard Henderson
2011-09-27 17:04 ` Alexander Graf
2011-09-27 17:06 ` Scott Wood
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).