From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:42638)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <guangrong.xiao@linux.intel.com>) id 1bNxqQ-0005ZI-51
	for qemu-devel@nongnu.org; Fri, 15 Jul 2016 03:47:34 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <guangrong.xiao@linux.intel.com>) id 1bNxqL-00076U-Uc
	for qemu-devel@nongnu.org; Fri, 15 Jul 2016 03:47:33 -0400
Received: from mga04.intel.com ([192.55.52.120]:58612)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <guangrong.xiao@linux.intel.com>) id 1bNxqL-00076C-P9
	for qemu-devel@nongnu.org; Fri, 15 Jul 2016 03:47:29 -0400
References: <1468244718-3731-1-git-send-email-guangrong.xiao@linux.intel.com>
	<1468244718-3731-5-git-send-email-guangrong.xiao@linux.intel.com>
	<20160714121750.GL15476@stefanha-x1.localdomain>
From: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Message-ID: <5788941D.1030509@linux.intel.com>
Date: Fri, 15 Jul 2016 15:43:25 +0800
MIME-Version: 1.0
In-Reply-To: <20160714121750.GL15476@stefanha-x1.localdomain>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH 4/8] nvdimm acpi: implement Read FIT
 function
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Stefan Hajnoczi <stefanha@redhat.com>
Cc: pbonzini@redhat.com, imammedo@redhat.com, gleb@kernel.org, mtosatti@redhat.com, mst@redhat.com, rth@twiddle.net, ehabkost@redhat.com, dan.j.williams@intel.com, kvm@vger.kernel.org, qemu-devel@nongnu.org



On 07/14/2016 08:17 PM, Stefan Hajnoczi wrote:

>> +/* Read FIT data, defined in docs/specs/acpi_nvdimm.txt. */
>> +static void nvdimm_dsm_func_read_fit(NvdimmDsmIn *in, hwaddr dsm_mem_addr)
>> +{
>> +    NvdimmFuncReadFITIn *read_fit;
>> +    NvdimmFuncReadFITOut *read_fit_out;
>> +    GSList *device_list = nvdimm_get_plugged_device_list();
>> +    GArray *fit = nvdimm_build_device_structure(device_list);
>> +    uint32_t read_len = 0, func_ret_status;
>> +    int left, size;
>> +
>> +    read_fit = (NvdimmFuncReadFITIn *)in->arg3;
>> +    le32_to_cpus(&read_fit->offset);
>> +
>> +    nvdimm_debug("Read FIT: offset %#x FIT size %#x.\n", read_fit->offset,
>> +                 fit->len);
>> +
>> +    left = fit->len - read_fit->offset;
>> +    if (left < 0) {
>
> Signed integer overflow leads to memory disclosure in memcpy() below.
> The problem occurs when (guint)fit->len - (uint32_t)read_fit->offset >
> INT_MAX.
>
> Please perform the check like this:
>
>    if (fit->offset >= fit->len) {
>

Ah, yes, you are right, thank you for pointing it out. Will fix it.