[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-ppc] [Qemu-devel] [PATCH] ppc/e500_pci: Fix an array overflow
|
From: |
Alexander Graf |
|
Subject: |
Re: [Qemu-ppc] [Qemu-devel] [PATCH] ppc/e500_pci: Fix an array overflow issue |
|
Date: |
Tue, 27 Sep 2011 14:45:02 +0200 |
On 27.09.2011, at 10:17, Liu Yu wrote:
> Signed-off-by: Liu Yu <address@hidden>
Patch description missing.
Also, please always CC address@hidden for patches concerning ppc.
> ---
> hw/ppce500_pci.c | 26 ++++++++++++++++----------
> 1 files changed, 16 insertions(+), 10 deletions(-)
>
> diff --git a/hw/ppce500_pci.c b/hw/ppce500_pci.c
> index 2db365d..3e24e85 100644
> --- a/hw/ppce500_pci.c
> +++ b/hw/ppce500_pci.c
> @@ -108,15 +108,18 @@ static uint32_t pci_reg_read4(void *opaque,
> target_phys_addr_t addr)
>
> case PPCE500_PCI_IW3:
> case PPCE500_PCI_IW2:
> - case PPCE500_PCI_IW1:
> + case PPCE500_PCI_IW1: {
> + int idx = ((addr >> 5) & 0x3) - 1;
So this is the main change, right? Why the -1? A guest could potentially access
pib[-1] using this, no?
> +
> switch (addr & 0xC) {
> - case PCI_PITAR: value = pci->pib[(addr >> 5) & 0x3].pitar; break;
> - case PCI_PIWBAR: value = pci->pib[(addr >> 5) & 0x3].piwbar; break;
> - case PCI_PIWBEAR: value = pci->pib[(addr >> 5) & 0x3].piwbear; break;
> - case PCI_PIWAR: value = pci->pib[(addr >> 5) & 0x3].piwar; break;
> + case PCI_PITAR: value = pci->pib[idx].pitar; break;
> + case PCI_PIWBAR: value = pci->pib[idx].piwbar; break;
> + case PCI_PIWBEAR: value = pci->pib[idx].piwbear; break;
> + case PCI_PIWAR: value = pci->pib[idx].piwar; break;
I'm fairly sure this breaks checkpatch.pl.
Alex
- Re: [Qemu-ppc] [Qemu-devel] [PATCH] ppc/e500_pci: Fix an array overflow issue,
Alexander Graf <=