|
From: | Corey Minyard |
Subject: | Re: [Qemu-devel] [PATCH v3 15/16] hw/i2c/smbus_eeprom: Create at most SMBUS_EEPROM_MAX EEPROMs on a SMBus |
Date: | Fri, 30 Nov 2018 14:47:17 -0600 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1 |
On 11/30/18 11:39 AM, Peter Maydell wrote:
On Mon, 26 Nov 2018 at 20:04, <address@hidden> wrote:From: Philippe Mathieu-Daudé <address@hidden> Calling smbus_eeprom_init() with more than 8 EEPROMs would lead to a heap overflow. Replace the '8' magic number by a definition, and check no more than this number are created. Signed-off-by: Philippe Mathieu-Daudé <address@hidden> Signed-off-by: Corey Minyard <address@hidden> --- hw/i2c/smbus_eeprom.c | 13 +++++++++++-- include/hw/i2c/smbus_eeprom.h | 4 +++- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/hw/i2c/smbus_eeprom.c b/hw/i2c/smbus_eeprom.c index 942057dc10..a0dcadbd60 100644 --- a/hw/i2c/smbus_eeprom.c +++ b/hw/i2c/smbus_eeprom.c @@ -23,6 +23,7 @@ */ #include "qemu/osdep.h" +#include "qemu/error-report.h" #include "hw/hw.h" #include "hw/boards.h" #include "hw/i2c/i2c.h" @@ -157,12 +158,20 @@ void smbus_eeprom_init_one(I2CBus *smbus, uint8_t address, uint8_t *eeprom_buf) qdev_init_nofail(dev); } -void smbus_eeprom_init(I2CBus *smbus, int nb_eeprom, +void smbus_eeprom_init(I2CBus *smbus, unsigned int nb_eeprom, const uint8_t *eeprom_spd, int eeprom_spd_size) { int i; + uint8_t *eeprom_buf; + + if (nb_eeprom > SMBUS_EEPROM_MAX) { + error_report("At most %u EEPROM are supported on a SMBus.", + SMBUS_EEPROM_MAX); + exit(1);You could also just assert(), since this would be a QEMU bug (all callers use fixed values for this argument).
I'm fine either way. Philippe?
+ } + /* XXX: make this persistent */ - uint8_t *eeprom_buf = g_malloc0(8 * SMBUS_EEPROM_SIZE); + eeprom_buf = g_malloc0(nb_eeprom * SMBUS_EEPROM_SIZE);So if we allocate N buffers as the caller requests, what is the thing that means that more than 8 won't work ? We've now changed from allocating always 8 lots of the EEPROM size to possibly allocating fewer than that. How does the code in the device know what the size of the buffer we're passing as the "data" property is now? We don't pass it the number of EEPROMs as a property.
It doesn't have to. Each EEPROM is 256 bytes and that's all the data it has. But this whole thing is confusing, I agree. The more I look at this particular file, the less I like it. But the caller is basically saying: "I need N EEPROMs, here's the initialization data". That's not really very flexible, IMHO the EEPROM devices should be created individually using standard qemu methods. I'm tempted to rewrite this whole thing to make it cleaner. -corey
if (eeprom_spd_size > 0) { memcpy(eeprom_buf, eeprom_spd, eeprom_spd_size); } diff --git a/include/hw/i2c/smbus_eeprom.h b/include/hw/i2c/smbus_eeprom.h index 46fb1a37d6..8436200599 100644 --- a/include/hw/i2c/smbus_eeprom.h +++ b/include/hw/i2c/smbus_eeprom.h @@ -25,8 +25,10 @@ #include "hw/i2c/i2c.h" +#define SMBUS_EEPROM_MAX 8 + void smbus_eeprom_init_one(I2CBus *bus, uint8_t address, uint8_t *eeprom_buf); -void smbus_eeprom_init(I2CBus *bus, int nb_eeprom, +void smbus_eeprom_init(I2CBus *bus, unsigned int nb_eeprom, const uint8_t *eeprom_spd, int size);thanks -- PMM
[Prev in Thread] | Current Thread | [Next in Thread] |