From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:39129)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <lersek@redhat.com>) id 1Ztz7e-0001B3-GJ
	for qemu-devel@nongnu.org; Wed, 04 Nov 2015 09:33:11 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <lersek@redhat.com>) id 1Ztz7b-0006mL-O1
	for qemu-devel@nongnu.org; Wed, 04 Nov 2015 09:33:10 -0500
Received: from mx1.redhat.com ([209.132.183.28]:43716)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <lersek@redhat.com>) id 1Ztz7b-0006lV-If
	for qemu-devel@nongnu.org; Wed, 04 Nov 2015 09:33:07 -0500
References: <1446586842-21793-1-git-send-email-somlo@cmu.edu>
	<1446586842-21793-5-git-send-email-somlo@cmu.edu>
From: Laszlo Ersek <lersek@redhat.com>
Message-ID: <563A1720.4010308@redhat.com>
Date: Wed, 4 Nov 2015 15:33:04 +0100
MIME-Version: 1.0
In-Reply-To: <1446586842-21793-5-git-send-email-somlo@cmu.edu>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Qemu-devel] [PATCH v4 4/6] fw_cfg: avoid calculating invalid
 current entry pointer
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Gabriel L. Somlo" <somlo@cmu.edu>, qemu-devel@nongnu.org
Cc: peter.maydell@linaro.org, markmb@redhat.com, pbonzini@redhat.com, kraxel@redhat.com, jordan.l.justen@intel.com

On 11/03/15 22:40, Gabriel L. Somlo wrote:
> When calculating a pointer to the currently selected fw_cfg item, the
> following is used:
>=20
>   FWCfgEntry *e =3D &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]=
;
>=20
> When s->cur_entry is FW_CFG_INVALID, we are calculating the address of
> a non-existent element in s->entries[arch][...], which is undefined.
>=20
> This patch ensures the resulting entry pointer is se to NULL whenever

se[t] to NULL

> s->cur_entry is FW_CFG_INVALID.
>=20
> Reported-by: Laszlo Ersek <lersek@redhat.com>
> Cc: Marc Mar=C3=AD <markmb@redhat.com>
> Signed-off-by: Gabriel Somlo <somlo@cmu.edu>
> ---
>  hw/nvram/fw_cfg.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>=20
> diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
> index c2d3a0a..046fa74 100644
> --- a/hw/nvram/fw_cfg.c
> +++ b/hw/nvram/fw_cfg.c
> @@ -277,7 +277,8 @@ static int fw_cfg_select(FWCfgState *s, uint16_t ke=
y)
>  static uint8_t fw_cfg_read(FWCfgState *s)
>  {
>      int arch =3D !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
> -    FWCfgEntry *e =3D &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MA=
SK];
> +    FWCfgEntry *e =3D (s->cur_entry =3D=3D FW_CFG_INVALID) ? NULL :
> +                    &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK=
];
>      uint8_t ret;
> =20
>      if (s->cur_entry =3D=3D FW_CFG_INVALID || !e->data || s->cur_offse=
t >=3D e->len)
> @@ -342,7 +343,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s)
>      }
> =20
>      arch =3D !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
> -    e =3D &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
> +    e =3D (s->cur_entry =3D=3D FW_CFG_INVALID) ? NULL :
> +        &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
> =20
>      if (dma.control & FW_CFG_DMA_CTL_READ) {
>          read =3D 1;
>=20

Reviewed-by: Laszlo Ersek <lersek@redhat.com>