qemu-ppc
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-ppc] [Qemu-devel] [PATCH] ppc/e500_pci: Fix an array overflow

From: Scott Wood
Subject: Re: [Qemu-ppc] [Qemu-devel] [PATCH] ppc/e500_pci: Fix an array overflow issue
Date: Tue, 27 Sep 2011 12:06:15 -0500
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110428 Fedora/3.1.10-1.fc15 Thunderbird/3.1.10 
On 09/27/2011 12:01 PM, Alexander Graf wrote:
> 
> On 27.09.2011, at 18:52, Scott Wood wrote:
> 
>> On 09/27/2011 07:45 AM, Alexander Graf wrote:
>>> So this is the main change, right? Why the -1? A guest could potentially 
>>> access pib[-1] using this, no?
>>
>> Not with the values of addr that lead to this code.  The -1 is because
>> IW1/2/3 are 0x1e0/0x1c0/0x1a0.  Previously IW1 would overflow the array.
> 
> We're matching on addr & 0xfe0 and do the switch based on that. Possible 
> values are:
> 
>   0x1a0
>   0x1c0
>   0x1e0
> 
> Then we >> 5 them.
> 
>   0xd
>   0xe
>   0xf
> 
> ... and & 0x3 them
> 
>   0x1
>   0x2
>   0x0

0xd & 0x3 = 1
0xe & 0x3 = 2
0xf & 0x3 = 3

-Scott
reply via email to
[Prev in Thread] Current Thread [Next in Thread]