qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] ppc/e500_pci: Fix an array overflow issue

From: Alexander Graf
Subject: Re: [Qemu-devel] [PATCH] ppc/e500_pci: Fix an array overflow issue
Date: Tue, 27 Sep 2011 14:45:02 +0200 
On 27.09.2011, at 10:17, Liu Yu wrote:

> Signed-off-by: Liu Yu <address@hidden>

Patch description missing.

Also, please always CC address@hidden for patches concerning ppc.


> ---
> hw/ppce500_pci.c |   26 ++++++++++++++++----------
> 1 files changed, 16 insertions(+), 10 deletions(-)
> 
> diff --git a/hw/ppce500_pci.c b/hw/ppce500_pci.c
> index 2db365d..3e24e85 100644
> --- a/hw/ppce500_pci.c
> +++ b/hw/ppce500_pci.c
> @@ -108,15 +108,18 @@ static uint32_t pci_reg_read4(void *opaque, 
> target_phys_addr_t addr)
> 
>     case PPCE500_PCI_IW3:
>     case PPCE500_PCI_IW2:
> -    case PPCE500_PCI_IW1:
> +    case PPCE500_PCI_IW1: {
> +        int idx = ((addr >> 5) & 0x3) - 1;

So this is the main change, right? Why the -1? A guest could potentially access 
pib[-1] using this, no?

> +
>         switch (addr & 0xC) {
> -        case PCI_PITAR: value = pci->pib[(addr >> 5) & 0x3].pitar; break;
> -        case PCI_PIWBAR: value = pci->pib[(addr >> 5) & 0x3].piwbar; break;
> -        case PCI_PIWBEAR: value = pci->pib[(addr >> 5) & 0x3].piwbear; break;
> -        case PCI_PIWAR: value = pci->pib[(addr >> 5) & 0x3].piwar; break;
> +        case PCI_PITAR: value = pci->pib[idx].pitar; break;
> +        case PCI_PIWBAR: value = pci->pib[idx].piwbar; break;
> +        case PCI_PIWBEAR: value = pci->pib[idx].piwbear; break;
> +        case PCI_PIWAR: value = pci->pib[idx].piwar; break;

I'm fairly sure this breaks checkpatch.pl.


Alex
reply via email to
[Prev in Thread] Current Thread [Next in Thread]