From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:60354) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fONrC-0005wK-7t for qemu-devel@nongnu.org; Thu, 31 May 2018 09:43:10 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fONrB-0000Pp-4C for qemu-devel@nongnu.org; Thu, 31 May 2018 09:43:10 -0400 Received: from mail-oi0-x242.google.com ([2607:f8b0:4003:c06::242]:44423) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fONrA-0000PP-Vb for qemu-devel@nongnu.org; Thu, 31 May 2018 09:43:09 -0400 Received: by mail-oi0-x242.google.com with SMTP id c128-v6so10276239oig.11 for ; Thu, 31 May 2018 06:43:08 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: <1527663951-14552-1-git-send-email-zhaoshenglong@huawei.com> From: Peter Maydell Date: Thu, 31 May 2018 14:42:47 +0100 Message-ID: Content-Type: text/plain; charset="UTF-8" Subject: Re: [Qemu-devel] [PATCH v3] ARM: ACPI: Fix use-after-free due to memory realloc List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Auger Eric Cc: Shannon Zhao , qemu-arm , QEMU Developers , =?UTF-8?Q?Philippe_Mathieu=2DDaud=C3=A9?= , Shannon Zhao On 30 May 2018 at 10:03, Auger Eric wrote: > Hi Shannon, > > On 05/30/2018 09:05 AM, Shannon Zhao wrote: >> acpi_data_push uses g_array_set_size to resize the memory size. If there >> is no enough contiguous memory, the address will be changed. So previous >> pointer could not be used any more. It must update the pointer and use >> the new one. >> >> Also, previous codes wrongly use le32 conversion of iort->node_offset >> for subsequent computations that will result incorrect value if host is >> not litlle endian. So use the non-converted one instead. >> >> Signed-off-by: Shannon Zhao > Reviewed-by: Eric Auger Applied to target-arm.next, thanks. -- PMM