All of lore.kernel.org
 help / color / mirror / Atom feed
* [Qemu-devel] [PATCH] cadence_gem: Avoid stack-writing buffer-overrun
@ 2012-06-19  6:44 Peter A. G. Crosthwaite
  2012-06-22  9:03 ` [Qemu-devel] [Qemu-trivial] " Stefan Hajnoczi
  0 siblings, 1 reply; 4+ messages in thread
From: Peter A. G. Crosthwaite @ 2012-06-19  6:44 UTC (permalink / raw)
  To: qemu-trivial, qemu-devel; +Cc: Jim Meyering, Peter A. G. Crosthwaite

From: Jim Meyering <meyering@redhat.com>

Use sizeof(rxbuf)-size (not sizeof(rxbuf-size)) as the number
of bytes to clear.  The latter would always clear 4 or 8
bytes, possibly writing beyond the end of that stack buffer.
Alternatively, depending on the value of the "size" parameter,
it could fail to initialize the end of "rxbuf".
Spotted by coverity.

Signed-off-by: Jim Meyering <meyering@redhat.com>
Signed-off-by: Peter A. G. Crosthwaite <peter.croshtwaite@petalogix.com>
---
 hw/cadence_gem.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/hw/cadence_gem.c b/hw/cadence_gem.c
index e2140ae..dbde392 100644
--- a/hw/cadence_gem.c
+++ b/hw/cadence_gem.c
@@ -664,7 +664,7 @@ static ssize_t gem_receive(VLANClientState *nc, const uint8_t *buf, size_t size)
          */
 
         memcpy(rxbuf, buf, size);
-        memset(rxbuf + size, 0, sizeof(rxbuf - size));
+        memset(rxbuf + size, 0, sizeof(rxbuf) - size);
         rxbuf_ptr = rxbuf;
         crc_val = cpu_to_le32(crc32(0, rxbuf, MAX(size, 60)));
         if (size < 60) {
-- 
1.7.3.2

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [Qemu-devel] [Qemu-trivial] [PATCH] cadence_gem: Avoid stack-writing buffer-overrun
  2012-06-19  6:44 [Qemu-devel] [PATCH] cadence_gem: Avoid stack-writing buffer-overrun Peter A. G. Crosthwaite
@ 2012-06-22  9:03 ` Stefan Hajnoczi
  2012-06-22  9:09   ` Peter Maydell
  0 siblings, 1 reply; 4+ messages in thread
From: Stefan Hajnoczi @ 2012-06-22  9:03 UTC (permalink / raw)
  To: Peter A. G. Crosthwaite
  Cc: qemu-trivial, Jim Meyering, Peter A. G. Crosthwaite, qemu-devel

On Tue, Jun 19, 2012 at 04:44:38PM +1000, Peter A. G. Crosthwaite wrote:
> From: Jim Meyering <meyering@redhat.com>
> 
> Use sizeof(rxbuf)-size (not sizeof(rxbuf-size)) as the number
> of bytes to clear.  The latter would always clear 4 or 8
> bytes, possibly writing beyond the end of that stack buffer.
> Alternatively, depending on the value of the "size" parameter,
> it could fail to initialize the end of "rxbuf".
> Spotted by coverity.
> 
> Signed-off-by: Jim Meyering <meyering@redhat.com>
> Signed-off-by: Peter A. G. Crosthwaite <peter.croshtwaite@petalogix.com>
> ---
>  hw/cadence_gem.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)

Thanks, applied to the trivial patches tree:
https://github.com/stefanha/qemu/commits/trivial-patches

Stefan

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [Qemu-devel] [Qemu-trivial] [PATCH] cadence_gem: Avoid stack-writing buffer-overrun
  2012-06-22  9:03 ` [Qemu-devel] [Qemu-trivial] " Stefan Hajnoczi
@ 2012-06-22  9:09   ` Peter Maydell
  2012-06-22  9:30     ` Stefan Hajnoczi
  0 siblings, 1 reply; 4+ messages in thread
From: Peter Maydell @ 2012-06-22  9:09 UTC (permalink / raw)
  To: Stefan Hajnoczi
  Cc: Peter A. G. Crosthwaite, qemu-trivial, Jim Meyering,
	Peter A. G. Crosthwaite, qemu-devel

On 22 June 2012 10:03, Stefan Hajnoczi <stefanha@gmail.com> wrote:
> On Tue, Jun 19, 2012 at 04:44:38PM +1000, Peter A. G. Crosthwaite wrote:
>> From: Jim Meyering <meyering@redhat.com>
>>
>> Use sizeof(rxbuf)-size (not sizeof(rxbuf-size)) as the number
>> of bytes to clear.

> Thanks, applied to the trivial patches tree:
> https://github.com/stefanha/qemu/commits/trivial-patches

This patch is already in an outstanding arm-devs pullreq (possibly
due to confusion on my part); it would probably be better not to
put it in the trivial-patches tree I guess.

thanks and sorry for the confusion
-- PMM

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [Qemu-devel] [Qemu-trivial] [PATCH] cadence_gem: Avoid stack-writing buffer-overrun
  2012-06-22  9:09   ` Peter Maydell
@ 2012-06-22  9:30     ` Stefan Hajnoczi
  0 siblings, 0 replies; 4+ messages in thread
From: Stefan Hajnoczi @ 2012-06-22  9:30 UTC (permalink / raw)
  To: Peter Maydell
  Cc: Peter A. G. Crosthwaite, qemu-trivial, Jim Meyering,
	Peter A. G. Crosthwaite, qemu-devel

On Fri, Jun 22, 2012 at 10:09 AM, Peter Maydell
<peter.maydell@linaro.org> wrote:
> On 22 June 2012 10:03, Stefan Hajnoczi <stefanha@gmail.com> wrote:
>> On Tue, Jun 19, 2012 at 04:44:38PM +1000, Peter A. G. Crosthwaite wrote:
>>> From: Jim Meyering <meyering@redhat.com>
>>>
>>> Use sizeof(rxbuf)-size (not sizeof(rxbuf-size)) as the number
>>> of bytes to clear.
>
>> Thanks, applied to the trivial patches tree:
>> https://github.com/stefanha/qemu/commits/trivial-patches
>
> This patch is already in an outstanding arm-devs pullreq (possibly
> due to confusion on my part); it would probably be better not to
> put it in the trivial-patches tree I guess.

Okay, I've dropped it.

Stefan

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-06-22  9:31 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-06-19  6:44 [Qemu-devel] [PATCH] cadence_gem: Avoid stack-writing buffer-overrun Peter A. G. Crosthwaite
2012-06-22  9:03 ` [Qemu-devel] [Qemu-trivial] " Stefan Hajnoczi
2012-06-22  9:09   ` Peter Maydell
2012-06-22  9:30     ` Stefan Hajnoczi

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.