Re: [Qemu-arm] arbitrarily address wirte in pxa2xx_pm

qemu-arm

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-arm] arbitrarily address wirte in pxa2xx_pm_write

From:	Peter Maydell
Subject:	Re: [Qemu-arm] arbitrarily address wirte in pxa2xx_pm_write
Date:	Sun, 21 Apr 2019 15:13:44 +0100

On Sun, 21 Apr 2019 at 04:37, sohu0106 <address@hidden> wrote:
>
>
> in function pxa2xx_pm_write()[hw/arm/pxa2xx.c] with qemu version under 
> 4.0-rc4 do not check the addr rang in the default case, it will lead
> to arbitrarily address write in guest.
>
>
>  137     default:    /* Read-write registers */
>  138         if (!(addr & 3)) {
>  139             s->pm_regs[addr >> 2] = value;
>  140             break;
>  141         }

Have you found a test case where this can happen?
The pm_regs array is size 0x40, and the memory
region ops are registered with

    memory_region_init_io(&s->pm_iomem, NULL, &pxa2xx_pm_ops, s,
"pxa2xx-pm", 0x100);

(using a size of 0x100), so don't I think that it's
possible for the size parameter in this function to
be 0x100 or larger, and so addr >> 2 should always
be within the array bounds. Have I missed something ?

thanks
-- PMM

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-arm] arbitrarily address wirte in pxa2xx_pm_write, sohu0106, 2019/04/21
- Re: [Qemu-arm] arbitrarily address wirte in pxa2xx_pm_write, Peter Maydell <=

Prev by Date: [Qemu-arm] arbitrarily address wirte in pxa2xx_pm_write
Next by Date: Re: [Qemu-arm] [Qemu-devel] [RFC PATCH] hw/arm/virt: use variable size of flash device to save memory
Previous by thread: [Qemu-arm] arbitrarily address wirte in pxa2xx_pm_write
Index(es):
- Date
- Thread