[Qemu-devel] [PATCH] pcihp: fix possible array out of bounds
From: Gonglei arei.gong...@huawei.com When 'bsel == ACPI_PCIHP_MAX_HOTPLUG_BUS', the s-acpi_pcihp_pci_status[bsel] array will out of bounds. Add check for this. Signed-off-by: Gonglei arei.gong...@huawei.com --- hw/acpi/pcihp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c index fae663a..34dedf1 100644 --- a/hw/acpi/pcihp.c +++ b/hw/acpi/pcihp.c @@ -231,7 +231,7 @@ static uint64_t pci_read(void *opaque, hwaddr addr, unsigned int size) uint32_t val = 0; int bsel = s-hotplug_select; -if (bsel 0 || bsel ACPI_PCIHP_MAX_HOTPLUG_BUS) { +if (bsel 0 || bsel = ACPI_PCIHP_MAX_HOTPLUG_BUS) { return 0; } -- 1.7.12.4
Re: [Qemu-devel] [PATCH] pcihp: fix possible array out of bounds
On Tue, 2014-08-19 at 15:18 +0800, arei.gong...@huawei.com wrote: From: Gonglei arei.gong...@huawei.com When 'bsel == ACPI_PCIHP_MAX_HOTPLUG_BUS', the s-acpi_pcihp_pci_status[bsel] array will out of bounds. I would change the commit message to something like Prevent out-of-bounds array access on acpi_pcihp_pci_status. Other than that, it looks OK to me. Thanks, Marcel Add check for this. Signed-off-by: Gonglei arei.gong...@huawei.com --- hw/acpi/pcihp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c index fae663a..34dedf1 100644 --- a/hw/acpi/pcihp.c +++ b/hw/acpi/pcihp.c @@ -231,7 +231,7 @@ static uint64_t pci_read(void *opaque, hwaddr addr, unsigned int size) uint32_t val = 0; int bsel = s-hotplug_select; -if (bsel 0 || bsel ACPI_PCIHP_MAX_HOTPLUG_BUS) { +if (bsel 0 || bsel = ACPI_PCIHP_MAX_HOTPLUG_BUS) { return 0; }
Re: [Qemu-devel] [PATCH] pcihp: fix possible array out of bounds
On Tue, Aug 19, 2014 at 5:18 PM, arei.gong...@huawei.com wrote: From: Gonglei arei.gong...@huawei.com When 'bsel == ACPI_PCIHP_MAX_HOTPLUG_BUS', the s-acpi_pcihp_pci_status[bsel] array will out of bounds. Add check for this. Signed-off-by: Gonglei arei.gong...@huawei.com Reviewed-by: Peter Crosthwaite peter.crosthwa...@xilinx.com --- hw/acpi/pcihp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c index fae663a..34dedf1 100644 --- a/hw/acpi/pcihp.c +++ b/hw/acpi/pcihp.c @@ -231,7 +231,7 @@ static uint64_t pci_read(void *opaque, hwaddr addr, unsigned int size) uint32_t val = 0; int bsel = s-hotplug_select; -if (bsel 0 || bsel ACPI_PCIHP_MAX_HOTPLUG_BUS) { +if (bsel 0 || bsel = ACPI_PCIHP_MAX_HOTPLUG_BUS) { return 0; } -- 1.7.12.4
Re: [Qemu-devel] [PATCH] pcihp: fix possible array out of bounds
-Original Message- From: Marcel Apfelbaum [mailto:marcel.apfelb...@gmail.com] Sent: Tuesday, August 19, 2014 11:00 PM To: Gonglei (Arei) Cc: qemu-devel@nongnu.org; Huangweidong (C); m...@redhat.com Subject: Re: [Qemu-devel] [PATCH] pcihp: fix possible array out of bounds On Tue, 2014-08-19 at 15:18 +0800, arei.gong...@huawei.com wrote: From: Gonglei arei.gong...@huawei.com When 'bsel == ACPI_PCIHP_MAX_HOTPLUG_BUS', the s-acpi_pcihp_pci_status[bsel] array will out of bounds. I would change the commit message to something like Prevent out-of-bounds array access on acpi_pcihp_pci_status. Other than that, it looks OK to me. Thanks, Marcel OK, it's better, thanks. V2 will be posted. Best regards, -Gonglei Add check for this. Signed-off-by: Gonglei arei.gong...@huawei.com --- hw/acpi/pcihp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c index fae663a..34dedf1 100644 --- a/hw/acpi/pcihp.c +++ b/hw/acpi/pcihp.c @@ -231,7 +231,7 @@ static uint64_t pci_read(void *opaque, hwaddr addr, unsigned int size) uint32_t val = 0; int bsel = s-hotplug_select; -if (bsel 0 || bsel ACPI_PCIHP_MAX_HOTPLUG_BUS) { +if (bsel 0 || bsel = ACPI_PCIHP_MAX_HOTPLUG_BUS) { return 0; }
Re: [Qemu-devel] [PATCH] pcihp: fix possible array out of bounds
-Original Message- From: peter.crosthwa...@petalogix.com [mailto:peter.crosthwa...@petalogix.com] On Behalf Of Peter Crosthwaite Sent: Tuesday, August 19, 2014 11:12 PM To: Gonglei (Arei) Cc: qemu-devel@nongnu.org Developers; Huangweidong (C); Michael S. Tsirkin Subject: Re: [Qemu-devel] [PATCH] pcihp: fix possible array out of bounds On Tue, Aug 19, 2014 at 5:18 PM, arei.gong...@huawei.com wrote: From: Gonglei arei.gong...@huawei.com When 'bsel == ACPI_PCIHP_MAX_HOTPLUG_BUS', the s-acpi_pcihp_pci_status[bsel] array will out of bounds. Add check for this. Signed-off-by: Gonglei arei.gong...@huawei.com Reviewed-by: Peter Crosthwaite peter.crosthwa...@xilinx.com Thanks. Best regards, -Gonglei --- hw/acpi/pcihp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c index fae663a..34dedf1 100644 --- a/hw/acpi/pcihp.c +++ b/hw/acpi/pcihp.c @@ -231,7 +231,7 @@ static uint64_t pci_read(void *opaque, hwaddr addr, unsigned int size) uint32_t val = 0; int bsel = s-hotplug_select; -if (bsel 0 || bsel ACPI_PCIHP_MAX_HOTPLUG_BUS) { +if (bsel 0 || bsel = ACPI_PCIHP_MAX_HOTPLUG_BUS) { return 0; } -- 1.7.12.4