[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-ppc] [PULL 33/33] ppc/spapr: Fix buffer overflow in spapr_populate
From: |
David Gibson |
Subject: |
[Qemu-ppc] [PULL 33/33] ppc/spapr: Fix buffer overflow in spapr_populate_drconf_memory() |
Date: |
Mon, 21 Sep 2015 11:06:28 +1000 |
From: Thomas Huth <address@hidden>
The buffer that is allocated in spapr_populate_drconf_memory()
is used for setting both, the "ibm,dynamic-memory" and the
"ibm,associativity-lookup-arrays" property. However, only the
size of the first one is taken into account when allocating the
memory. So if the length of the second property is larger than
the length of the first one, we run into a buffer overflow here!
Fix it by taking the length of the second property into account,
too.
Fixes: "spapr: Support ibm,dynamic-reconfiguration-memory" patch
Signed-off-by: Thomas Huth <address@hidden>
Reviewed-by: David Gibson <address@hidden>
Signed-off-by: David Gibson <address@hidden>
---
hw/ppc/spapr.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 6ccf26f..bd34289 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -725,9 +725,12 @@ static int spapr_populate_drconf_memory(sPAPRMachineState
*spapr, void *fdt)
uint32_t *int_buf, *cur_index, buf_len;
int nr_nodes = nb_numa_nodes ? nb_numa_nodes : 1;
- /* Allocate enough buffer size to fit in ibm,dynamic-memory */
- buf_len = nr_lmbs * SPAPR_DR_LMB_LIST_ENTRY_SIZE * sizeof(uint32_t) +
- sizeof(uint32_t);
+ /*
+ * Allocate enough buffer size to fit in ibm,dynamic-memory
+ * or ibm,associativity-lookup-arrays
+ */
+ buf_len = MAX(nr_lmbs * SPAPR_DR_LMB_LIST_ENTRY_SIZE + 1, nr_nodes * 4 + 2)
+ * sizeof(uint32_t);
cur_index = int_buf = g_malloc0(buf_len);
offset = fdt_add_subnode(fdt, 0, "ibm,dynamic-reconfiguration-memory");
--
2.4.3
- [Qemu-ppc] [PULL 24/33] spapr: Make hash table size a factor of maxram_size, (continued)
- [Qemu-ppc] [PULL 24/33] spapr: Make hash table size a factor of maxram_size, David Gibson, 2015/09/20
- [Qemu-ppc] [PULL 21/33] spapr: Use QEMU limit for maximum CPUs number, David Gibson, 2015/09/20
- [Qemu-ppc] [PULL 15/33] spapr: Enable in-kernel H_SET_MODE handling, David Gibson, 2015/09/20
- [Qemu-ppc] [PULL 18/33] spapr: Initialize hotplug memory address space, David Gibson, 2015/09/20
- [Qemu-ppc] [PULL 31/33] spapr: Move memory hotplug to RTAS_LOG_V6_HP_ID_DRC_COUNT type, David Gibson, 2015/09/20
- [Qemu-ppc] [PULL 26/33] spapr: Don't allow memory hotplug to memory less nodes, David Gibson, 2015/09/20
- [Qemu-ppc] [PULL 28/33] spapr: Populate ibm, associativity-lookup-arrays correctly for non-NUMA, David Gibson, 2015/09/20
- [Qemu-ppc] [PULL 20/33] spapr: Don't use QOM [*] syntax for DR connectors., David Gibson, 2015/09/20
- [Qemu-ppc] [PULL 17/33] spapr_drc: don't allow 'empty' DRCs to be unisolated or allocated, David Gibson, 2015/09/20
- [Qemu-ppc] [PULL 32/33] spapr: Fix default NUMA node allocation for threads, David Gibson, 2015/09/20
- [Qemu-ppc] [PULL 33/33] ppc/spapr: Fix buffer overflow in spapr_populate_drconf_memory(),
David Gibson <=
- [Qemu-ppc] [PULL 25/33] spapr: Memory hotplug support, David Gibson, 2015/09/20
- [Qemu-ppc] [PULL 30/33] spapr: Support hotplug by specifying DRC count, David Gibson, 2015/09/20
- [Qemu-ppc] [PULL 29/33] spapr: Revert to address@hidden representation for non-hotplugged memory, David Gibson, 2015/09/20
- [Qemu-ppc] [PULL 19/33] spapr_drc: use RTAS return codes for methods called by RTAS, David Gibson, 2015/09/20
- [Qemu-ppc] [PULL 22/33] spapr: Add LMB DR connectors, David Gibson, 2015/09/20
- [Qemu-ppc] [PULL 23/33] spapr: Support ibm, dynamic-reconfiguration-memory, David Gibson, 2015/09/20
- [Qemu-ppc] [PULL 13/33] pseries: Update SLOF firmware image to qemu-slof-20150813, David Gibson, 2015/09/20
- Re: [Qemu-ppc] [PULL 00/33] spapr-next queue 2015-09-16, Peter Maydell, 2015/09/21