All of lore.kernel.org
 help / color / mirror / Atom feed
* [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR read / write
@ 2012-09-04 17:37 Stefan Weil
  2012-09-04 17:57 ` Peter Maydell
  2012-09-10 13:18 ` Aurelien Jarno
  0 siblings, 2 replies; 6+ messages in thread
From: Stefan Weil @ 2012-09-04 17:37 UTC (permalink / raw)
  To: Paul Brook; +Cc: Stefan Weil, qemu-devel

Report from smatch:

mcf5206.c:384 m5206_mbar_readb(7) error: buffer overflow 'm5206_mbar_width' 128 <= 128
mcf5206.c:403 m5206_mbar_readw(8) error: buffer overflow 'm5206_mbar_width' 128 <= 128
mcf5206.c:427 m5206_mbar_readl(8) error: buffer overflow 'm5206_mbar_width' 128 <= 128
mcf5206.c:451 m5206_mbar_writeb(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
mcf5206.c:475 m5206_mbar_writew(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
mcf5206.c:503 m5206_mbar_writel(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128

m5206_mbar_width has 0x80 elements and supports 0 <= offset < 0x200.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
---
 hw/mcf5206.c |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/hw/mcf5206.c b/hw/mcf5206.c
index 539b391..27753e2 100644
--- a/hw/mcf5206.c
+++ b/hw/mcf5206.c
@@ -378,7 +378,7 @@ static uint32_t m5206_mbar_readb(void *opaque, target_phys_addr_t offset)
 {
     m5206_mbar_state *s = (m5206_mbar_state *)opaque;
     offset &= 0x3ff;
-    if (offset > 0x200) {
+    if (offset >= 0x200) {
         hw_error("Bad MBAR read offset 0x%x", (int)offset);
     }
     if (m5206_mbar_width[offset >> 2] > 1) {
@@ -397,7 +397,7 @@ static uint32_t m5206_mbar_readw(void *opaque, target_phys_addr_t offset)
     m5206_mbar_state *s = (m5206_mbar_state *)opaque;
     int width;
     offset &= 0x3ff;
-    if (offset > 0x200) {
+    if (offset >= 0x200) {
         hw_error("Bad MBAR read offset 0x%x", (int)offset);
     }
     width = m5206_mbar_width[offset >> 2];
@@ -421,7 +421,7 @@ static uint32_t m5206_mbar_readl(void *opaque, target_phys_addr_t offset)
     m5206_mbar_state *s = (m5206_mbar_state *)opaque;
     int width;
     offset &= 0x3ff;
-    if (offset > 0x200) {
+    if (offset >= 0x200) {
         hw_error("Bad MBAR read offset 0x%x", (int)offset);
     }
     width = m5206_mbar_width[offset >> 2];
@@ -445,7 +445,7 @@ static void m5206_mbar_writeb(void *opaque, target_phys_addr_t offset,
     m5206_mbar_state *s = (m5206_mbar_state *)opaque;
     int width;
     offset &= 0x3ff;
-    if (offset > 0x200) {
+    if (offset >= 0x200) {
         hw_error("Bad MBAR write offset 0x%x", (int)offset);
     }
     width = m5206_mbar_width[offset >> 2];
@@ -469,7 +469,7 @@ static void m5206_mbar_writew(void *opaque, target_phys_addr_t offset,
     m5206_mbar_state *s = (m5206_mbar_state *)opaque;
     int width;
     offset &= 0x3ff;
-    if (offset > 0x200) {
+    if (offset >= 0x200) {
         hw_error("Bad MBAR write offset 0x%x", (int)offset);
     }
     width = m5206_mbar_width[offset >> 2];
@@ -497,7 +497,7 @@ static void m5206_mbar_writel(void *opaque, target_phys_addr_t offset,
     m5206_mbar_state *s = (m5206_mbar_state *)opaque;
     int width;
     offset &= 0x3ff;
-    if (offset > 0x200) {
+    if (offset >= 0x200) {
         hw_error("Bad MBAR write offset 0x%x", (int)offset);
     }
     width = m5206_mbar_width[offset >> 2];
-- 
1.7.10

^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR read / write
  2012-09-04 17:37 [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR read / write Stefan Weil
@ 2012-09-04 17:57 ` Peter Maydell
  2012-09-04 18:12   ` Stefan Weil
  2012-09-10 13:18 ` Aurelien Jarno
  1 sibling, 1 reply; 6+ messages in thread
From: Peter Maydell @ 2012-09-04 17:57 UTC (permalink / raw)
  To: Stefan Weil; +Cc: Paul Brook, qemu-devel

On 4 September 2012 18:37, Stefan Weil <sw@weilnetz.de> wrote:
> Report from smatch:
>
> mcf5206.c:384 m5206_mbar_readb(7) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> mcf5206.c:403 m5206_mbar_readw(8) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> mcf5206.c:427 m5206_mbar_readl(8) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> mcf5206.c:451 m5206_mbar_writeb(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> mcf5206.c:475 m5206_mbar_writew(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> mcf5206.c:503 m5206_mbar_writel(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
>
> m5206_mbar_width has 0x80 elements and supports 0 <= offset < 0x200.
>
> Signed-off-by: Stefan Weil <sw@weilnetz.de>

Checked against the data sheet -- last documented register is at offset $1F0,
so correcting the offset check rather than the array length is the correct
fix.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

-- PMM

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR read / write
  2012-09-04 17:57 ` Peter Maydell
@ 2012-09-04 18:12   ` Stefan Weil
  2012-09-04 18:16     ` Stefan Weil
  0 siblings, 1 reply; 6+ messages in thread
From: Stefan Weil @ 2012-09-04 18:12 UTC (permalink / raw)
  To: Peter Maydell; +Cc: Paul Brook, qemu-devel

Am 04.09.2012 19:57, schrieb Peter Maydell:
> On 4 September 2012 18:37, Stefan Weil <sw@weilnetz.de> wrote:
>> Report from smatch:
>>
>> mcf5206.c:384 m5206_mbar_readb(7) error: buffer overflow 'm5206_mbar_width' 128 <= 128
>> mcf5206.c:403 m5206_mbar_readw(8) error: buffer overflow 'm5206_mbar_width' 128 <= 128
>> mcf5206.c:427 m5206_mbar_readl(8) error: buffer overflow 'm5206_mbar_width' 128 <= 128
>> mcf5206.c:451 m5206_mbar_writeb(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
>> mcf5206.c:475 m5206_mbar_writew(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
>> mcf5206.c:503 m5206_mbar_writel(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
>>
>> m5206_mbar_width has 0x80 elements and supports 0 <= offset < 0x200.
>>
>> Signed-off-by: Stefan Weil <sw@weilnetz.de>
> Checked against the data sheet -- last documented register is at offset $1F0,
> so correcting the offset check rather than the array length is the correct
> fix.
>
> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
>
> -- PMM

Then m5206_mbar_width should be shortened to 124 elements
(0x1f0 / 4) _and_ the offset check needs a correction.

-- sw

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR read / write
  2012-09-04 18:12   ` Stefan Weil
@ 2012-09-04 18:16     ` Stefan Weil
  2012-09-04 18:31       ` Peter Maydell
  0 siblings, 1 reply; 6+ messages in thread
From: Stefan Weil @ 2012-09-04 18:16 UTC (permalink / raw)
  To: Peter Maydell; +Cc: Paul Brook, qemu-devel

Am 04.09.2012 20:12, schrieb Stefan Weil:
> Am 04.09.2012 19:57, schrieb Peter Maydell:
>> On 4 September 2012 18:37, Stefan Weil <sw@weilnetz.de> wrote:
>>> Report from smatch:
>>>
>>> mcf5206.c:384 m5206_mbar_readb(7) error: buffer overflow 
>>> 'm5206_mbar_width' 128 <= 128
>>> mcf5206.c:403 m5206_mbar_readw(8) error: buffer overflow 
>>> 'm5206_mbar_width' 128 <= 128
>>> mcf5206.c:427 m5206_mbar_readl(8) error: buffer overflow 
>>> 'm5206_mbar_width' 128 <= 128
>>> mcf5206.c:451 m5206_mbar_writeb(9) error: buffer overflow 
>>> 'm5206_mbar_width' 128 <= 128
>>> mcf5206.c:475 m5206_mbar_writew(9) error: buffer overflow 
>>> 'm5206_mbar_width' 128 <= 128
>>> mcf5206.c:503 m5206_mbar_writel(9) error: buffer overflow 
>>> 'm5206_mbar_width' 128 <= 128
>>>
>>> m5206_mbar_width has 0x80 elements and supports 0 <= offset < 0x200.
>>>
>>> Signed-off-by: Stefan Weil <sw@weilnetz.de>
>> Checked against the data sheet -- last documented register is at 
>> offset $1F0,
>> so correcting the offset check rather than the array length is the 
>> correct
>> fix.
>>
>> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
>>
>> -- PMM
>
> Then m5206_mbar_width should be shortened to 124 elements
> (0x1f0 / 4) _and_ the offset check needs a correction.
>
> -- sw


Sorry, 125 elements, of course. Or are there undocumented
registers at 0x1f4, 0x1f8 and 0x1fc?

- sw

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR read / write
  2012-09-04 18:16     ` Stefan Weil
@ 2012-09-04 18:31       ` Peter Maydell
  0 siblings, 0 replies; 6+ messages in thread
From: Peter Maydell @ 2012-09-04 18:31 UTC (permalink / raw)
  To: Stefan Weil; +Cc: Paul Brook, qemu-devel

On 4 September 2012 19:16, Stefan Weil <sw@weilnetz.de> wrote:
> Am 04.09.2012 20:12, schrieb Stefan Weil:
>> Am 04.09.2012 19:57, schrieb Peter Maydell:
>>> Checked against the data sheet -- last documented register is at
>>> offset $1F0, so correcting the offset check rather than the array
>>> length is the correct fix.

>> Then m5206_mbar_width should be shortened to 124 elements
>> (0x1f0 / 4) _and_ the offset check needs a correction.

Why bother? The relevant offsets will hit the hw_error() cases
in m5206_mbar_read() and m5206_mbar_write() anyway, the same
as for the other cases where there are "holes" in the register
space. The only reason we're doing these checks here is to avoid
overrunning the width array...

> Sorry, 125 elements, of course. Or are there undocumented
> registers at 0x1f4, 0x1f8 and 0x1fc?

If there were, I wouldn't know, because they aren't documented :-)

-- PMM

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR read / write
  2012-09-04 17:37 [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR read / write Stefan Weil
  2012-09-04 17:57 ` Peter Maydell
@ 2012-09-10 13:18 ` Aurelien Jarno
  1 sibling, 0 replies; 6+ messages in thread
From: Aurelien Jarno @ 2012-09-10 13:18 UTC (permalink / raw)
  To: Stefan Weil; +Cc: Paul Brook, qemu-devel

On Tue, Sep 04, 2012 at 07:37:39PM +0200, Stefan Weil wrote:
> Report from smatch:
> 
> mcf5206.c:384 m5206_mbar_readb(7) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> mcf5206.c:403 m5206_mbar_readw(8) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> mcf5206.c:427 m5206_mbar_readl(8) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> mcf5206.c:451 m5206_mbar_writeb(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> mcf5206.c:475 m5206_mbar_writew(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> mcf5206.c:503 m5206_mbar_writel(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> 
> m5206_mbar_width has 0x80 elements and supports 0 <= offset < 0x200.
> 
> Signed-off-by: Stefan Weil <sw@weilnetz.de>
> ---
>  hw/mcf5206.c |   12 ++++++------
>  1 file changed, 6 insertions(+), 6 deletions(-)
> 
> diff --git a/hw/mcf5206.c b/hw/mcf5206.c
> index 539b391..27753e2 100644
> --- a/hw/mcf5206.c
> +++ b/hw/mcf5206.c
> @@ -378,7 +378,7 @@ static uint32_t m5206_mbar_readb(void *opaque, target_phys_addr_t offset)
>  {
>      m5206_mbar_state *s = (m5206_mbar_state *)opaque;
>      offset &= 0x3ff;
> -    if (offset > 0x200) {
> +    if (offset >= 0x200) {
>          hw_error("Bad MBAR read offset 0x%x", (int)offset);
>      }
>      if (m5206_mbar_width[offset >> 2] > 1) {
> @@ -397,7 +397,7 @@ static uint32_t m5206_mbar_readw(void *opaque, target_phys_addr_t offset)
>      m5206_mbar_state *s = (m5206_mbar_state *)opaque;
>      int width;
>      offset &= 0x3ff;
> -    if (offset > 0x200) {
> +    if (offset >= 0x200) {
>          hw_error("Bad MBAR read offset 0x%x", (int)offset);
>      }
>      width = m5206_mbar_width[offset >> 2];
> @@ -421,7 +421,7 @@ static uint32_t m5206_mbar_readl(void *opaque, target_phys_addr_t offset)
>      m5206_mbar_state *s = (m5206_mbar_state *)opaque;
>      int width;
>      offset &= 0x3ff;
> -    if (offset > 0x200) {
> +    if (offset >= 0x200) {
>          hw_error("Bad MBAR read offset 0x%x", (int)offset);
>      }
>      width = m5206_mbar_width[offset >> 2];
> @@ -445,7 +445,7 @@ static void m5206_mbar_writeb(void *opaque, target_phys_addr_t offset,
>      m5206_mbar_state *s = (m5206_mbar_state *)opaque;
>      int width;
>      offset &= 0x3ff;
> -    if (offset > 0x200) {
> +    if (offset >= 0x200) {
>          hw_error("Bad MBAR write offset 0x%x", (int)offset);
>      }
>      width = m5206_mbar_width[offset >> 2];
> @@ -469,7 +469,7 @@ static void m5206_mbar_writew(void *opaque, target_phys_addr_t offset,
>      m5206_mbar_state *s = (m5206_mbar_state *)opaque;
>      int width;
>      offset &= 0x3ff;
> -    if (offset > 0x200) {
> +    if (offset >= 0x200) {
>          hw_error("Bad MBAR write offset 0x%x", (int)offset);
>      }
>      width = m5206_mbar_width[offset >> 2];
> @@ -497,7 +497,7 @@ static void m5206_mbar_writel(void *opaque, target_phys_addr_t offset,
>      m5206_mbar_state *s = (m5206_mbar_state *)opaque;
>      int width;
>      offset &= 0x3ff;
> -    if (offset > 0x200) {
> +    if (offset >= 0x200) {
>          hw_error("Bad MBAR write offset 0x%x", (int)offset);
>      }
>      width = m5206_mbar_width[offset >> 2];
> -- 
> 1.7.10
> 

Thanks, applied.

-- 
Aurelien Jarno                          GPG: 1024D/F1BCDB73
aurelien@aurel32.net                 http://www.aurel32.net

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2012-09-10 13:18 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-09-04 17:37 [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR read / write Stefan Weil
2012-09-04 17:57 ` Peter Maydell
2012-09-04 18:12   ` Stefan Weil
2012-09-04 18:16     ` Stefan Weil
2012-09-04 18:31       ` Peter Maydell
2012-09-10 13:18 ` Aurelien Jarno

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.