[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] lsi53c895a: check script ram address value
From: |
P J P |
Subject: |
Re: [Qemu-devel] [PATCH] lsi53c895a: check script ram address value |
Date: |
Wed, 21 Nov 2018 14:59:34 +0530 (IST) |
Hello Petr, Paolo,
+-- On Tue, 6 Nov 2018, Paolo Bonzini wrote --+
| On 06/11/2018 13:03, Peter Maydell wrote:
| > When can this masking have any effect? These functions are
| > the read and write ops for lsi_ram_ops, which we register with
| > memory_region_init_io(&s->ram_io, OBJECT(s), &lsi_ram_ops, s,
| > "lsi-ram", 0x2000);
| > which specifies a memory region size of 0x2000. So the input
| > addr must be in the 0..0x1fff range already -- or have I missed
| > something ?
| >
| > It would probably be helpful (for readers and static analysers)
| > to assert() that addr is < 0x2000, though.
|
| Indeed, there are cases where the address is used blindly in a memcpy
| with size>1, but this is not one of them.
True, the lsi r/w mmio ops are initialized to be within MemoryRegion size of
0x2000. IIUC memory_region_access_valid() does not seem to check that given
'addr' is within mr->size limit. ie 'addr > 0x01FFF' may lead to oob access
in doing
val = s->script_ram[addr >> 2];
Hope I'm not misreading. Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F