From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:38588)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jlarrew@linux.vnet.ibm.com>) id 1UjjyS-0002WR-Cq
	for qemu-devel@nongnu.org; Tue, 04 Jun 2013 01:40:06 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jlarrew@linux.vnet.ibm.com>) id 1UjjyN-0006DR-51
	for qemu-devel@nongnu.org; Tue, 04 Jun 2013 01:40:00 -0400
Received: from e35.co.us.ibm.com ([32.97.110.153]:41102)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jlarrew@linux.vnet.ibm.com>) id 1UjjyM-0006Cz-To
	for qemu-devel@nongnu.org; Tue, 04 Jun 2013 01:39:55 -0400
Received: from /spool/local
	by e35.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only!
	Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <jlarrew@linux.vnet.ibm.com>;
	Mon, 3 Jun 2013 23:39:53 -0600
Received: from d03relay05.boulder.ibm.com (d03relay05.boulder.ibm.com
	[9.17.195.107])
	by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id 6757119D8036
	for <qemu-devel@nongnu.org>; Mon,  3 Jun 2013 23:39:41 -0600 (MDT)
Received: from d03av06.boulder.ibm.com (d03av06.boulder.ibm.com [9.17.195.245])
	by d03relay05.boulder.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	r545dkdO057788
	for <qemu-devel@nongnu.org>; Mon, 3 Jun 2013 23:39:46 -0600
Received: from d03av06.boulder.ibm.com (loopback [127.0.0.1])
	by d03av06.boulder.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP
	id r545g8s4011636
	for <qemu-devel@nongnu.org>; Mon, 3 Jun 2013 23:42:08 -0600
Message-ID: <51AD7DA3.4070905@linux.vnet.ibm.com>
Date: Tue, 04 Jun 2013 00:39:47 -0500
From: Jesse Larrew <jlarrew@linux.vnet.ibm.com>
MIME-Version: 1.0
References: <1370276607-4180-1-git-send-email-imammedo@redhat.com>
In-Reply-To: <1370276607-4180-1-git-send-email-imammedo@redhat.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] target-i386: cpu: fix potential buffer
 overrun in get_register_name_32()
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Igor Mammedov <imammedo@redhat.com>
Cc: qemu-devel@nongnu.org, afaerber@suse.de

On 06/03/2013 11:23 AM, Igor Mammedov wrote:
> spotted by Coverity,
> x86_reg_info_32[] is CPU_NB_REGS32 elements long, so accessing
> x86_reg_info_32[CPU_NB_REGS32] will be one element off array.
> 
> Signed-off-by: Igor Mammedov <imammedo@redhat.com>
> ---
>  target-i386/cpu.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/target-i386/cpu.c b/target-i386/cpu.c
> index 1a501d9..ae8e682 100644
> --- a/target-i386/cpu.c
> +++ b/target-i386/cpu.c
> @@ -221,7 +221,7 @@ X86RegisterInfo32 x86_reg_info_32[CPU_NB_REGS32] = {
> 
>  const char *get_register_name_32(unsigned int reg)
>  {
> -    if (reg > CPU_NB_REGS32) {
> +    if (reg >= CPU_NB_REGS32) {
>          return NULL;
>      }
>      return x86_reg_info_32[reg].name;
> 

Looks obvious now that it's been spotted. ;)

Reviewed by: Jesse Larrew <jlarrew@linux.vnet.ibm.com>

Jesse Larrew
Software Engineer, KVM Team
IBM Linux Technology Center
Phone: (512) 973-2052 (T/L: 363-2052)
jlarrew@linux.vnet.ibm.com