[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-ppc] [PULL 33/36] ppc/spapr: Fix buffer overflow in spapr_populate
From: |
David Gibson |
Subject: |
[Qemu-ppc] [PULL 33/36] ppc/spapr: Fix buffer overflow in spapr_populate_drconf_memory() |
Date: |
Wed, 23 Sep 2015 11:55:35 +1000 |
From: Thomas Huth <address@hidden>
The buffer that is allocated in spapr_populate_drconf_memory()
is used for setting both, the "ibm,dynamic-memory" and the
"ibm,associativity-lookup-arrays" property. However, only the
size of the first one is taken into account when allocating the
memory. So if the length of the second property is larger than
the length of the first one, we run into a buffer overflow here!
Fix it by taking the length of the second property into account,
too.
Fixes: "spapr: Support ibm,dynamic-reconfiguration-memory" patch
Signed-off-by: Thomas Huth <address@hidden>
Reviewed-by: David Gibson <address@hidden>
Signed-off-by: David Gibson <address@hidden>
---
hw/ppc/spapr.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 59fc814..1333375 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -725,9 +725,12 @@ static int spapr_populate_drconf_memory(sPAPRMachineState
*spapr, void *fdt)
uint32_t *int_buf, *cur_index, buf_len;
int nr_nodes = nb_numa_nodes ? nb_numa_nodes : 1;
- /* Allocate enough buffer size to fit in ibm,dynamic-memory */
- buf_len = nr_lmbs * SPAPR_DR_LMB_LIST_ENTRY_SIZE * sizeof(uint32_t) +
- sizeof(uint32_t);
+ /*
+ * Allocate enough buffer size to fit in ibm,dynamic-memory
+ * or ibm,associativity-lookup-arrays
+ */
+ buf_len = MAX(nr_lmbs * SPAPR_DR_LMB_LIST_ENTRY_SIZE + 1, nr_nodes * 4 + 2)
+ * sizeof(uint32_t);
cur_index = int_buf = g_malloc0(buf_len);
offset = fdt_add_subnode(fdt, 0, "ibm,dynamic-reconfiguration-memory");
--
2.4.3
- [Qemu-ppc] [PULL 26/36] spapr: Don't allow memory hotplug to memory less nodes, (continued)
- [Qemu-ppc] [PULL 26/36] spapr: Don't allow memory hotplug to memory less nodes, David Gibson, 2015/09/22
- [Qemu-ppc] [PULL 35/36] sPAPR: Revert don't enable EEH on emulated PCI devices, David Gibson, 2015/09/22
- [Qemu-ppc] [PULL 19/36] spapr_drc: use RTAS return codes for methods called by RTAS, David Gibson, 2015/09/22
- [Qemu-ppc] [PULL 10/36] spapr_rtas: Prevent QEMU crash during hotplug without a prior device_add, David Gibson, 2015/09/22
- [Qemu-ppc] [PULL 14/36] pseries: Fix incorrect calculation of threads per socket for chip-id, David Gibson, 2015/09/22
- [Qemu-ppc] [PULL 15/36] spapr: Enable in-kernel H_SET_MODE handling, David Gibson, 2015/09/22
- [Qemu-ppc] [PULL 16/36] spapr_pci: fix device tree props for MSI/MSI-X, David Gibson, 2015/09/22
- [Qemu-ppc] [PULL 17/36] spapr_drc: don't allow 'empty' DRCs to be unisolated or allocated, David Gibson, 2015/09/22
- [Qemu-ppc] [PULL 22/36] spapr: Add LMB DR connectors, David Gibson, 2015/09/22
- [Qemu-ppc] [PULL 07/36] spapr: add dumpdtb support, David Gibson, 2015/09/22
- [Qemu-ppc] [PULL 33/36] ppc/spapr: Fix buffer overflow in spapr_populate_drconf_memory(),
David Gibson <=
- [Qemu-ppc] [PULL 30/36] spapr: Support hotplug by specifying DRC count, David Gibson, 2015/09/22
- [Qemu-ppc] [PULL 36/36] sPAPR: Enable EEH on VFIO PCI device only, David Gibson, 2015/09/22
- [Qemu-ppc] [PULL 29/36] spapr: Revert to address@hidden representation for non-hotplugged memory, David Gibson, 2015/09/22
- [Qemu-ppc] [PULL 31/36] spapr: Move memory hotplug to RTAS_LOG_V6_HP_ID_DRC_COUNT type, David Gibson, 2015/09/22
- [Qemu-ppc] [PULL 32/36] spapr: Fix default NUMA node allocation for threads, David Gibson, 2015/09/22
- [Qemu-ppc] [PULL 28/36] spapr: Populate ibm, associativity-lookup-arrays correctly for non-NUMA, David Gibson, 2015/09/22
- [Qemu-ppc] [PULL 23/36] spapr: Support ibm, dynamic-reconfiguration-memory, David Gibson, 2015/09/22
- [Qemu-ppc] [PULL 25/36] spapr: Memory hotplug support, David Gibson, 2015/09/22
- [Qemu-ppc] [PULL 34/36] ppc/spapr: Implement H_RANDOM hypercall in QEMU, David Gibson, 2015/09/22
- [Qemu-ppc] [PULL 13/36] pseries: Update SLOF firmware image to qemu-slof-20150813, David Gibson, 2015/09/22