On Mon, Jan 8, 2018 at 10:50 PM, Marcel Apfelbaum <address@hidden> wrote:
When all the fw_cfg slots are used, a write is made outside the
bounds of the fw_cfg files array as part of the sort algorithm.
Fix it by avoiding an unnecessary array element move.
Fix also an assert while at it.
Signed-off-by: Marcel Apfelbaum <address@hidden>
---
hw/nvram/fw_cfg.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
index 753ac0e4ea..4313484b21 100644
--- a/hw/nvram/fw_cfg.c
+++ b/hw/nvram/fw_cfg.c
@@ -784,7 +784,7 @@ void fw_cfg_add_file_callback(FWCfgState *s, const char
*filename,
* index and "i - 1" is the one being copied from, thus the
* unusual start and end in the for statement.
*/
- for (i = count + 1; i > index; i--) {
+ for (i = count; i > index; i--) {
Good catch (could be worth a test in fw_cfg-test.c for ASAN check?)
Just some thought, I wonder if the sorting should be done once after
all entries are added, with some higher function like g_array_sort().
s->files->f[i] = s->files->f[i - 1];
s->files->f[i].select = cpu_to_be16(FW_CFG_FILE_FIRST + i);
s->entries[0][FW_CFG_FILE_FIRST + i] =
@@ -833,7 +833,6 @@ void *fw_cfg_modify_file(FWCfgState *s, const char
*filename,
assert(s->files);
index = be32_to_cpu(s->files->count);
- assert(index < fw_cfg_file_slots(s));
for (i = 0; i < index; i++) {
if (strcmp(filename, s->files->f[i].name) == 0) {
@@ -843,6 +842,9 @@ void *fw_cfg_modify_file(FWCfgState *s, const char
*filename,
return ptr;
}
}
+
+ assert(index < fw_cfg_file_slots(s));
+
Well, the assert is redundant with the one in
fw_cfg_add_file_callback() at this point. I think the original assert
is there for sanity check only, before iterating over files.