From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:33755)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <arei.gonglei@huawei.com>) id 1YL573-0001UN-WB
	for qemu-devel@nongnu.org; Tue, 10 Feb 2015 02:20:02 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <arei.gonglei@huawei.com>) id 1YL572-00030U-Vj
	for qemu-devel@nongnu.org; Tue, 10 Feb 2015 02:20:01 -0500
Message-ID: <54D9B107.3070002@huawei.com>
Date: Tue, 10 Feb 2015 15:19:35 +0800
From: Gonglei <arei.gonglei@huawei.com>
MIME-Version: 1.0
References: <1422689277-16032-1-git-send-email-arei.gonglei@huawei.com>
	<1422689277-16032-3-git-send-email-arei.gonglei@huawei.com>
	<alpine.DEB.2.02.1502100638200.29696@kaball.uk.xensource.com>
	<54D9A9E6.3040306@huawei.com>
	<alpine.DEB.2.02.1502100700180.29696@kaball.uk.xensource.com>
In-Reply-To: <alpine.DEB.2.02.1502100700180.29696@kaball.uk.xensource.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH 2/2] xen-pt: fix Out-of-bounds read
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: qemu-trivial@nongnu.org, qemu-devel@nongnu.org, peter.huangpeng@huawei.com

On 2015/2/10 15:00, Stefano Stabellini wrote:
> On Tue, 10 Feb 2015, Gonglei wrote:
>> On 2015/2/10 14:39, Stefano Stabellini wrote:
>>> On Sat, 31 Jan 2015, arei.gonglei@huawei.com wrote:
>>>> From: Gonglei <arei.gonglei@huawei.com>
>>>>
>>>> The array length of s->real_device.io_regions[] is
>>>> "PCI_NUM_REGIONS - 1". Add a check, just make Coverity happy.
>>>>
>>>> Signed-off-by: Gonglei <arei.gonglei@huawei.com>
>>>> ---
>>>>  hw/xen/xen_pt_config_init.c | 5 +++++
>>>>  1 file changed, 5 insertions(+)
>>>>
>>>> diff --git a/hw/xen/xen_pt_config_init.c b/hw/xen/xen_pt_config_init.c
>>>> index 710fe50..3c8b0f1 100644
>>>> --- a/hw/xen/xen_pt_config_init.c
>>>> +++ b/hw/xen/xen_pt_config_init.c
>>>> @@ -443,6 +443,11 @@ static int xen_pt_bar_reg_read(XenPCIPassthroughState *s, XenPTReg *cfg_entry,
>>>>          return -1;
>>>>      }
>>>>  
>>>> +    if (index == PCI_ROM_SLOT) {
>>>> +        XEN_PT_ERR(&s->dev, "Internal error: Access violation at ROM BAR.\n");
>>>> +        return -1;
>>>> +    }
>>>
>>> Could you please fix the boundaries of the check just above?
>>> Also please avoid using PCI_ROM_SLOT for the array index check, simply
>>> use PCI_NUM_REGIONS.
>>>
>> You meaning is changing the below check:
>>
>> if (index < 0 || index >= PCI_NUM_REGIONS - 1) {
>>         XEN_PT_ERR(&s->dev, "Internal error: Invalid BAR index [%d].\n", index);
>>         return -1;
>>     }
>>
>> Isn't it?
>  
> that's right
> 
OK, will do, thanks.

Regards,
-Gonglei