[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-ppc] [Qemu-devel] [PATCH] ppc/e500_pci: Fix an array overflow
From: |
Scott Wood |
Subject: |
Re: [Qemu-ppc] [Qemu-devel] [PATCH] ppc/e500_pci: Fix an array overflow issue |
Date: |
Tue, 27 Sep 2011 12:06:15 -0500 |
User-agent: |
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110428 Fedora/3.1.10-1.fc15 Thunderbird/3.1.10 |
On 09/27/2011 12:01 PM, Alexander Graf wrote:
>
> On 27.09.2011, at 18:52, Scott Wood wrote:
>
>> On 09/27/2011 07:45 AM, Alexander Graf wrote:
>>> So this is the main change, right? Why the -1? A guest could potentially
>>> access pib[-1] using this, no?
>>
>> Not with the values of addr that lead to this code. The -1 is because
>> IW1/2/3 are 0x1e0/0x1c0/0x1a0. Previously IW1 would overflow the array.
>
> We're matching on addr & 0xfe0 and do the switch based on that. Possible
> values are:
>
> 0x1a0
> 0x1c0
> 0x1e0
>
> Then we >> 5 them.
>
> 0xd
> 0xe
> 0xf
>
> ... and & 0x3 them
>
> 0x1
> 0x2
> 0x0
0xd & 0x3 = 1
0xe & 0x3 = 2
0xf & 0x3 = 3
-Scott