From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:52756) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1R8b8I-0001jd-Sq for qemu-devel@nongnu.org; Tue, 27 Sep 2011 13:07:51 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1R8b8I-0001pF-2m for qemu-devel@nongnu.org; Tue, 27 Sep 2011 13:07:50 -0400 Message-ID: <4E820287.1090805@freescale.com> Date: Tue, 27 Sep 2011 12:06:15 -0500 From: Scott Wood MIME-Version: 1.0 References: <1317111439-6478-1-git-send-email-yu.liu@freescale.com> <4E81FF57.7070206@freescale.com> In-Reply-To: Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [Qemu-ppc] [PATCH] ppc/e500_pci: Fix an array overflow issue List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Alexander Graf Cc: Liu Yu , qemu-ppc@nongnu.org, qemu-devel Developers On 09/27/2011 12:01 PM, Alexander Graf wrote: > > On 27.09.2011, at 18:52, Scott Wood wrote: > >> On 09/27/2011 07:45 AM, Alexander Graf wrote: >>> So this is the main change, right? Why the -1? A guest could potentially access pib[-1] using this, no? >> >> Not with the values of addr that lead to this code. The -1 is because >> IW1/2/3 are 0x1e0/0x1c0/0x1a0. Previously IW1 would overflow the array. > > We're matching on addr & 0xfe0 and do the switch based on that. Possible values are: > > 0x1a0 > 0x1c0 > 0x1e0 > > Then we >> 5 them. > > 0xd > 0xe > 0xf > > ... and & 0x3 them > > 0x1 > 0x2 > 0x0 0xd & 0x3 = 1 0xe & 0x3 = 2 0xf & 0x3 = 3 -Scott