----- Original Message ----- > From: "Cédric Le Goater" <c...@kaod.org> > To: "Paolo Bonzini" <pbonz...@redhat.com>, qemu-devel@nongnu.org > Sent: Tuesday, June 28, 2016 11:05:24 AM > Subject: Re: [PATCH 2/3] m25p80: avoid out of bounds accesses > > On 06/28/2016 10:39 AM, Paolo Bonzini wrote: > > s->cur_addr can be made to point outside s->storage, either by > > writing a value >= 128 to s->ear (because s->ear * MAX_3BYTES_SIZE > > is a signed integer and sign-extends into the 64-bit cur_addr), > > or just by writing an address beyond the size of the flash being > > emulated. Avoid the sign extension to make the code cleaner, and > > on top of that mask s->cur_addr to s->size. > > > > Signed-off-by: Paolo Bonzini <pbonz...@redhat.com> > > Yes. We can trash memory very easily with the m25p80 object so we > clearly want this fix. > > Maybe, we could add a guest error when going beyond storage and > the case doing flash_write8() needs some care also.
I don't know, it's quite possible that real hardware does an AND simply because some address lines are not connected anywhere. Paolo
