[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 056/113] hw/block/pflash_cfi: fix off-by-one error
|
From: |
Michael Roth |
|
Subject: |
[Qemu-stable] [PATCH 056/113] hw/block/pflash_cfi: fix off-by-one error |
|
Date: |
Mon, 18 Jun 2018 20:42:22 -0500 |
From: Philippe Mathieu-Daudé <address@hidden>
ASAN reported:
hw/block/pflash_cfi02.c:245:33: runtime error: index 82 out of bounds for
type 'uint8_t [82]'
Since the 'cfi_len' member is not used, remove it to keep the code safer.
Cc: address@hidden
Reported-by: AddressSanitizer
Signed-off-by: Philippe Mathieu-Daudé <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 07c13a71721d9f8c690b66752964e254af247475)
Signed-off-by: Michael Roth <address@hidden>
---
hw/block/pflash_cfi01.c | 10 ++++------
hw/block/pflash_cfi02.c | 9 ++++-----
2 files changed, 8 insertions(+), 11 deletions(-)
diff --git a/hw/block/pflash_cfi01.c b/hw/block/pflash_cfi01.c
index 1113ab1ccf..2e8284001d 100644
--- a/hw/block/pflash_cfi01.c
+++ b/hw/block/pflash_cfi01.c
@@ -90,7 +90,6 @@ struct pflash_t {
uint16_t ident1;
uint16_t ident2;
uint16_t ident3;
- uint8_t cfi_len;
uint8_t cfi_table[0x52];
uint64_t counter;
unsigned int writeblock_size;
@@ -153,7 +152,7 @@ static uint32_t pflash_cfi_query(pflash_t *pfl, hwaddr
offset)
boff = offset >> (ctz32(pfl->bank_width) +
ctz32(pfl->max_device_width) - ctz32(pfl->device_width));
- if (boff > pfl->cfi_len) {
+ if (boff >= sizeof(pfl->cfi_table)) {
return 0;
}
/* Now we will construct the CFI response generated by a single
@@ -385,10 +384,10 @@ static uint32_t pflash_read (pflash_t *pfl, hwaddr offset,
boff = boff >> 2;
}
- if (boff > pfl->cfi_len) {
- ret = 0;
- } else {
+ if (boff < sizeof(pfl->cfi_table)) {
ret = pfl->cfi_table[boff];
+ } else {
+ ret = 0;
}
} else {
/* If we have a read larger than the bank_width, combine multiple
@@ -791,7 +790,6 @@ static void pflash_cfi01_realize(DeviceState *dev, Error
**errp)
pfl->cmd = 0;
pfl->status = 0;
/* Hardcoded CFI table */
- pfl->cfi_len = 0x52;
/* Standard "QRY" string */
pfl->cfi_table[0x10] = 'Q';
pfl->cfi_table[0x11] = 'R';
diff --git a/hw/block/pflash_cfi02.c b/hw/block/pflash_cfi02.c
index c81ddd3a99..75d1ae1026 100644
--- a/hw/block/pflash_cfi02.c
+++ b/hw/block/pflash_cfi02.c
@@ -83,7 +83,6 @@ struct pflash_t {
uint16_t ident3;
uint16_t unlock_addr0;
uint16_t unlock_addr1;
- uint8_t cfi_len;
uint8_t cfi_table[0x52];
QEMUTimer *timer;
/* The device replicates the flash memory across its memory space. Emulate
@@ -235,10 +234,11 @@ static uint32_t pflash_read (pflash_t *pfl, hwaddr offset,
break;
case 0x98:
/* CFI query mode */
- if (boff > pfl->cfi_len)
- ret = 0;
- else
+ if (boff < sizeof(pfl->cfi_table)) {
ret = pfl->cfi_table[boff];
+ } else {
+ ret = 0;
+ }
break;
}
@@ -663,7 +663,6 @@ static void pflash_cfi02_realize(DeviceState *dev, Error
**errp)
pfl->cmd = 0;
pfl->status = 0;
/* Hardcoded CFI table (mostly from SG29 Spansion flash) */
- pfl->cfi_len = 0x52;
/* Standard "QRY" string */
pfl->cfi_table[0x10] = 'Q';
pfl->cfi_table[0x11] = 'R';
--
2.11.0
- [Qemu-stable] [PATCH 046/113] virtio_net: flush uncompleted TX on reset, (continued)
- [Qemu-stable] [PATCH 046/113] virtio_net: flush uncompleted TX on reset, Michael Roth, 2018/06/18
- [Qemu-stable] [PATCH 047/113] qemu-pr-helper: Actually allow users to specify pidfile, Michael Roth, 2018/06/18
- [Qemu-stable] [PATCH 049/113] iotests: Test preallocated truncate of 2G image, Michael Roth, 2018/06/18
- [Qemu-stable] [PATCH 048/113] block/file-posix: Fix fully preallocated truncate, Michael Roth, 2018/06/18
- [Qemu-stable] [PATCH 050/113] tcg: Mark muluh_i64 and mulsh_i64 as 64-bit ops, Michael Roth, 2018/06/18
- [Qemu-stable] [PATCH 004/113] memfd: fix configure test, Michael Roth, 2018/06/18
- [Qemu-stable] [PATCH 051/113] target/i386: Fix andn instruction, Michael Roth, 2018/06/18
- [Qemu-stable] [PATCH 052/113] exec: fix memory leak in find_max_supported_pagesize(), Michael Roth, 2018/06/18
- [Qemu-stable] [PATCH 053/113] gluster: Fix blockdev-add with server.N.type=unix, Michael Roth, 2018/06/18
- [Qemu-stable] [PATCH 054/113] cpus.c: ensure running CPU recalculates icount deadlines on timer expiry, Michael Roth, 2018/06/18
- [Qemu-stable] [PATCH 056/113] hw/block/pflash_cfi: fix off-by-one error,
Michael Roth <=
- [Qemu-stable] [PATCH 055/113] vfio-ccw: fix memory leaks in vfio_ccw_realize(), Michael Roth, 2018/06/18
- [Qemu-stable] [PATCH 057/113] tcg: Introduce tcg_set_insn_start_param, Michael Roth, 2018/06/18
- [Qemu-stable] [PATCH 059/113] device_tree: Increase FDT_MAX_SIZE to 1 MiB, Michael Roth, 2018/06/18
- [Qemu-stable] [PATCH 058/113] hw/char/cmsdk-apb-uart.c: Correctly clear INTSTATUS bits on writes, Michael Roth, 2018/06/18
- [Qemu-stable] [PATCH 060/113] ccid: Fix dwProtocols advertisement of T=0, Michael Roth, 2018/06/18
- [Qemu-stable] [PATCH 061/113] nbd/client: Fix error messages during NBD_INFO_BLOCK_SIZE, Michael Roth, 2018/06/18
- [Qemu-stable] [PATCH 005/113] sdl: workaround bug in sdl 2.0.8 headers, Michael Roth, 2018/06/18
- [Qemu-stable] [PATCH 063/113] s390-ccw: force diag 308 subcode to unsigned long, Michael Roth, 2018/06/18
- [Qemu-stable] [PATCH 062/113] s390: Do not pass inofficial IPL type to the guest, Michael Roth, 2018/06/18
- [Qemu-stable] [PATCH 064/113] tcg/arm: Fix memory barrier encoding, Michael Roth, 2018/06/18