From: Corey Minyard <minyard@acm.org>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: "QEMU Developers" <qemu-devel@nongnu.org>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
"Corey Minyard" <cminyard@mvista.com>
Subject: Re: [Qemu-devel] [PATCH v3 15/16] hw/i2c/smbus_eeprom: Create at most SMBUS_EEPROM_MAX EEPROMs on a SMBus
Date: Fri, 30 Nov 2018 14:47:17 -0600 [thread overview]
Message-ID: <874bc3cf-825f-7fc5-efed-a39acf1789fa@acm.org> (raw)
In-Reply-To: <CAFEAcA8OuW0o5KmGLPuQB149yXowdb=8DyW5oe1yfjE4H--sPg@mail.gmail.com>
On 11/30/18 11:39 AM, Peter Maydell wrote:
> On Mon, 26 Nov 2018 at 20:04, <minyard@acm.org> wrote:
>> From: Philippe Mathieu-Daudé <philmd@redhat.com>
>>
>> Calling smbus_eeprom_init() with more than 8 EEPROMs would lead to a
>> heap overflow.
>> Replace the '8' magic number by a definition, and check no more than
>> this number are created.
>>
>> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
>> Signed-off-by: Corey Minyard <cminyard@mvista.com>
>> ---
>> hw/i2c/smbus_eeprom.c | 13 +++++++++++--
>> include/hw/i2c/smbus_eeprom.h | 4 +++-
>> 2 files changed, 14 insertions(+), 3 deletions(-)
>>
>> diff --git a/hw/i2c/smbus_eeprom.c b/hw/i2c/smbus_eeprom.c
>> index 942057dc10..a0dcadbd60 100644
>> --- a/hw/i2c/smbus_eeprom.c
>> +++ b/hw/i2c/smbus_eeprom.c
>> @@ -23,6 +23,7 @@
>> */
>>
>> #include "qemu/osdep.h"
>> +#include "qemu/error-report.h"
>> #include "hw/hw.h"
>> #include "hw/boards.h"
>> #include "hw/i2c/i2c.h"
>> @@ -157,12 +158,20 @@ void smbus_eeprom_init_one(I2CBus *smbus, uint8_t address, uint8_t *eeprom_buf)
>> qdev_init_nofail(dev);
>> }
>>
>> -void smbus_eeprom_init(I2CBus *smbus, int nb_eeprom,
>> +void smbus_eeprom_init(I2CBus *smbus, unsigned int nb_eeprom,
>> const uint8_t *eeprom_spd, int eeprom_spd_size)
>> {
>> int i;
>> + uint8_t *eeprom_buf;
>> +
>> + if (nb_eeprom > SMBUS_EEPROM_MAX) {
>> + error_report("At most %u EEPROM are supported on a SMBus.",
>> + SMBUS_EEPROM_MAX);
>> + exit(1);
> You could also just assert(), since this would be a
> QEMU bug (all callers use fixed values for this argument).
I'm fine either way. Philippe?
>> + }
>> +
>> /* XXX: make this persistent */
>> - uint8_t *eeprom_buf = g_malloc0(8 * SMBUS_EEPROM_SIZE);
>> + eeprom_buf = g_malloc0(nb_eeprom * SMBUS_EEPROM_SIZE);
> So if we allocate N buffers as the caller requests, what
> is the thing that means that more than 8 won't work ?
>
> We've now changed from allocating always 8 lots of
> the EEPROM size to possibly allocating fewer than that.
> How does the code in the device know what the size
> of the buffer we're passing as the "data" property is
> now? We don't pass it the number of EEPROMs as a property.
It doesn't have to. Each EEPROM is 256 bytes and that's all the data
it has.
But this whole thing is confusing, I agree. The more I look at this
particular file, the less I like it. But the caller is basically saying:
"I need N EEPROMs, here's the initialization data". That's not
really very flexible, IMHO the EEPROM devices should be created
individually using standard qemu methods.
I'm tempted to rewrite this whole thing to make it cleaner.
-corey
>> if (eeprom_spd_size > 0) {
>> memcpy(eeprom_buf, eeprom_spd, eeprom_spd_size);
>> }
>> diff --git a/include/hw/i2c/smbus_eeprom.h b/include/hw/i2c/smbus_eeprom.h
>> index 46fb1a37d6..8436200599 100644
>> --- a/include/hw/i2c/smbus_eeprom.h
>> +++ b/include/hw/i2c/smbus_eeprom.h
>> @@ -25,8 +25,10 @@
>>
>> #include "hw/i2c/i2c.h"
>>
>> +#define SMBUS_EEPROM_MAX 8
>> +
>> void smbus_eeprom_init_one(I2CBus *bus, uint8_t address, uint8_t *eeprom_buf);
>> -void smbus_eeprom_init(I2CBus *bus, int nb_eeprom,
>> +void smbus_eeprom_init(I2CBus *bus, unsigned int nb_eeprom,
>> const uint8_t *eeprom_spd, int size);
> thanks
> -- PMM
next prev parent reply other threads:[~2018-11-30 20:47 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-26 20:04 [Qemu-devel] [PATCH v3 00/16] Fix/add vmstate handling in some I2C code minyard
2018-11-26 20:04 ` [Qemu-devel] [PATCH v3 01/16] i2c: Split smbus into parts minyard
2018-11-26 20:23 ` Philippe Mathieu-Daudé
2018-11-26 20:04 ` [Qemu-devel] [PATCH v3 02/16] i2c: have I2C receive operation return uint8_t minyard
2018-11-26 20:23 ` Philippe Mathieu-Daudé
2018-11-27 0:14 ` Corey Minyard
2018-11-26 20:04 ` [Qemu-devel] [PATCH v3 03/16] arm:i2c: Don't mask return from i2c_recv() minyard
2018-11-26 20:29 ` Philippe Mathieu-Daudé
2018-11-30 17:26 ` Peter Maydell
2018-11-26 20:04 ` [Qemu-devel] [PATCH v3 04/16] i2c: Don't check return value " minyard
2018-11-30 17:25 ` Peter Maydell
2018-11-30 18:53 ` Corey Minyard
2018-11-26 20:04 ` [Qemu-devel] [PATCH v3 05/16] i2c: Simplify and correct the SMBus state machine minyard
2018-11-30 18:13 ` Peter Maydell
2018-11-30 21:03 ` Corey Minyard
2018-11-26 20:04 ` [Qemu-devel] [PATCH v3 06/16] i2c: Add a length check to the SMBus write handling minyard
2018-11-26 20:33 ` Philippe Mathieu-Daudé
2018-11-26 20:04 ` [Qemu-devel] [PATCH v3 07/16] i2c:pm_smbus: Fix pm_smbus handling of I2C block read minyard
2018-11-26 20:04 ` [Qemu-devel] [PATCH v3 08/16] boards.h: Ignore migration for SMBus devices on older machines minyard
2018-11-29 12:20 ` Dr. David Alan Gilbert
2018-11-26 20:04 ` [Qemu-devel] [PATCH v3 09/16] migration: Add a VMSTATE_BOOL_TEST() macro minyard
2018-11-29 12:22 ` Dr. David Alan Gilbert
2018-11-26 20:04 ` [Qemu-devel] [PATCH v3 10/16] i2c:pm_smbus: Fix state transfer minyard
2018-11-29 12:28 ` Dr. David Alan Gilbert
2018-11-26 20:04 ` [Qemu-devel] [PATCH v3 11/16] i2c:smbus_slave: Add an SMBus vmstate structure minyard
2018-11-29 13:09 ` Dr. David Alan Gilbert
2018-11-26 20:04 ` [Qemu-devel] [PATCH v3 12/16] i2c:smbus_eeprom: Add normal type name and cast to smbus_eeprom.c minyard
2018-11-26 20:35 ` Philippe Mathieu-Daudé
2018-11-26 20:04 ` [Qemu-devel] [PATCH v3 13/16] i2c:smbus_eeprom: Add a size constant for the smbus_eeprom size minyard
2018-11-26 20:04 ` [Qemu-devel] [PATCH v3 14/16] i2c:smbus_eeprom: Add vmstate handling to the smbus eeprom minyard
2018-11-29 13:29 ` Dr. David Alan Gilbert
2018-12-19 18:52 ` Corey Minyard
2019-01-03 10:44 ` Dr. David Alan Gilbert
2018-11-26 20:04 ` [Qemu-devel] [PATCH v3 15/16] hw/i2c/smbus_eeprom: Create at most SMBUS_EEPROM_MAX EEPROMs on a SMBus minyard
2018-11-30 17:39 ` Peter Maydell
2018-11-30 20:47 ` Corey Minyard [this message]
2018-12-01 11:57 ` Peter Maydell
2018-12-01 17:43 ` Philippe Mathieu-Daudé
2018-12-03 21:19 ` Corey Minyard
2018-11-26 20:04 ` [Qemu-devel] [PATCH v3 16/16] i2c:smbus_eeprom: Add a reset function to smbus_eeprom minyard
2018-11-26 20:42 ` Philippe Mathieu-Daudé
2018-11-26 22:41 ` Corey Minyard
2018-11-26 23:01 ` Philippe Mathieu-Daudé
2018-11-26 23:58 ` Corey Minyard
2018-11-27 10:54 ` Philippe Mathieu-Daudé
2018-11-27 12:58 ` Corey Minyard
2018-11-27 13:27 ` Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874bc3cf-825f-7fc5-efed-a39acf1789fa@acm.org \
--to=minyard@acm.org \
--cc=cminyard@mvista.com \
--cc=dgilbert@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).