From: "Philippe Mathieu-Daudé" <philmd@linaro.org>
To: Peter Maydell <peter.maydell@linaro.org>,
Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Cc: qemu-devel@nongnu.org
Subject: Re: [PATCH] hw/intc/openpic: Avoid taking address of out-of-bounds array index
Date: Thu, 14 Nov 2024 15:35:14 +0100 [thread overview]
Message-ID: <7b8586e7-137d-44b3-bff8-307b81bea17d@linaro.org> (raw)
In-Reply-To: <CAFEAcA82rYdZduR73CjJr7hYWG7N5e4Dqmx5j1O=3FT_BqboNQ@mail.gmail.com>
On 14/11/24 13:22, Peter Maydell wrote:
> On Wed, 6 Nov 2024 at 11:58, Mark Cave-Ayland
> <mark.cave-ayland@ilande.co.uk> wrote:
>>
>> On 05/11/2024 18:02, Peter Maydell wrote:
>>
>>> The clang sanitizer complains about the code in the EOI handling
>>> of openpic_cpu_write_internal():
>>>
>>> UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1 ./build/clang/qemu-system-ppc -M mac99,graphics=off -display none -kernel day15/invaders.elf
>>> ../../hw/intc/openpic.c:1034:16: runtime error: index -1 out of bounds for type 'IRQSource[264]' (aka 'struct IRQSource[264]')
>>> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../hw/intc/openpic.c:1034:16 in
>>>
>>> This is because we do
>>> src = &opp->src[n_IRQ];$
>>
>> Extra $ symbol at the end of the line here?
>
> Yep (cut-n-paste from an editor that marks end-of-lines).
>
>>> when n_IRQ may be -1. This is in practice harmless because if n_IRQ
>>> is -1 then we don't do anything with the src pointer, but it is
>>> undefined behaviour. (This has been present since this device
>>> was first added to QEMU.)
>>>
>>> Rearrange the code so we only do the array index when n_IRQ is not -1.
>>>
>>> Cc: qemu-stable@nongnu.org
>>> Fixes: e9df014c0b ("Implement embedded IRQ controller for PowerPC 6xx/740 & 75")
>>> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
>>> ---
>>> Arguable whether it's worth the stable backport or not...
>>> ---
>>> hw/intc/openpic.c | 15 ++++++++-------
>>> 1 file changed, 8 insertions(+), 7 deletions(-)
>> Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
>
> Thanks. I can take this via target-arm.next, or does anybody
> have a different preference?
I had it tagged for my next hw-misc PR but was busy focused on
other things so haven't taken the time for it yet. Better you
take it, thanks!
Phil.
prev parent reply other threads:[~2024-11-14 14:36 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-05 18:02 [PATCH] hw/intc/openpic: Avoid taking address of out-of-bounds array index Peter Maydell
2024-11-06 9:45 ` Richard Henderson
2024-11-06 11:57 ` Mark Cave-Ayland
2024-11-14 13:22 ` Peter Maydell
2024-11-14 14:35 ` Philippe Mathieu-Daudé [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7b8586e7-137d-44b3-bff8-307b81bea17d@linaro.org \
--to=philmd@linaro.org \
--cc=mark.cave-ayland@ilande.co.uk \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).