* [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR read / write
@ 2012-09-04 17:37 Stefan Weil
2012-09-04 17:57 ` Peter Maydell
2012-09-10 13:18 ` Aurelien Jarno
0 siblings, 2 replies; 6+ messages in thread
From: Stefan Weil @ 2012-09-04 17:37 UTC (permalink / raw)
To: Paul Brook; +Cc: Stefan Weil, qemu-devel
Report from smatch:
mcf5206.c:384 m5206_mbar_readb(7) error: buffer overflow 'm5206_mbar_width' 128 <= 128
mcf5206.c:403 m5206_mbar_readw(8) error: buffer overflow 'm5206_mbar_width' 128 <= 128
mcf5206.c:427 m5206_mbar_readl(8) error: buffer overflow 'm5206_mbar_width' 128 <= 128
mcf5206.c:451 m5206_mbar_writeb(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
mcf5206.c:475 m5206_mbar_writew(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
mcf5206.c:503 m5206_mbar_writel(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
m5206_mbar_width has 0x80 elements and supports 0 <= offset < 0x200.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
---
hw/mcf5206.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/hw/mcf5206.c b/hw/mcf5206.c
index 539b391..27753e2 100644
--- a/hw/mcf5206.c
+++ b/hw/mcf5206.c
@@ -378,7 +378,7 @@ static uint32_t m5206_mbar_readb(void *opaque, target_phys_addr_t offset)
{
m5206_mbar_state *s = (m5206_mbar_state *)opaque;
offset &= 0x3ff;
- if (offset > 0x200) {
+ if (offset >= 0x200) {
hw_error("Bad MBAR read offset 0x%x", (int)offset);
}
if (m5206_mbar_width[offset >> 2] > 1) {
@@ -397,7 +397,7 @@ static uint32_t m5206_mbar_readw(void *opaque, target_phys_addr_t offset)
m5206_mbar_state *s = (m5206_mbar_state *)opaque;
int width;
offset &= 0x3ff;
- if (offset > 0x200) {
+ if (offset >= 0x200) {
hw_error("Bad MBAR read offset 0x%x", (int)offset);
}
width = m5206_mbar_width[offset >> 2];
@@ -421,7 +421,7 @@ static uint32_t m5206_mbar_readl(void *opaque, target_phys_addr_t offset)
m5206_mbar_state *s = (m5206_mbar_state *)opaque;
int width;
offset &= 0x3ff;
- if (offset > 0x200) {
+ if (offset >= 0x200) {
hw_error("Bad MBAR read offset 0x%x", (int)offset);
}
width = m5206_mbar_width[offset >> 2];
@@ -445,7 +445,7 @@ static void m5206_mbar_writeb(void *opaque, target_phys_addr_t offset,
m5206_mbar_state *s = (m5206_mbar_state *)opaque;
int width;
offset &= 0x3ff;
- if (offset > 0x200) {
+ if (offset >= 0x200) {
hw_error("Bad MBAR write offset 0x%x", (int)offset);
}
width = m5206_mbar_width[offset >> 2];
@@ -469,7 +469,7 @@ static void m5206_mbar_writew(void *opaque, target_phys_addr_t offset,
m5206_mbar_state *s = (m5206_mbar_state *)opaque;
int width;
offset &= 0x3ff;
- if (offset > 0x200) {
+ if (offset >= 0x200) {
hw_error("Bad MBAR write offset 0x%x", (int)offset);
}
width = m5206_mbar_width[offset >> 2];
@@ -497,7 +497,7 @@ static void m5206_mbar_writel(void *opaque, target_phys_addr_t offset,
m5206_mbar_state *s = (m5206_mbar_state *)opaque;
int width;
offset &= 0x3ff;
- if (offset > 0x200) {
+ if (offset >= 0x200) {
hw_error("Bad MBAR write offset 0x%x", (int)offset);
}
width = m5206_mbar_width[offset >> 2];
--
1.7.10
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR read / write
2012-09-04 17:37 [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR read / write Stefan Weil
@ 2012-09-04 17:57 ` Peter Maydell
2012-09-04 18:12 ` Stefan Weil
2012-09-10 13:18 ` Aurelien Jarno
1 sibling, 1 reply; 6+ messages in thread
From: Peter Maydell @ 2012-09-04 17:57 UTC (permalink / raw)
To: Stefan Weil; +Cc: Paul Brook, qemu-devel
On 4 September 2012 18:37, Stefan Weil <sw@weilnetz.de> wrote:
> Report from smatch:
>
> mcf5206.c:384 m5206_mbar_readb(7) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> mcf5206.c:403 m5206_mbar_readw(8) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> mcf5206.c:427 m5206_mbar_readl(8) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> mcf5206.c:451 m5206_mbar_writeb(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> mcf5206.c:475 m5206_mbar_writew(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> mcf5206.c:503 m5206_mbar_writel(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
>
> m5206_mbar_width has 0x80 elements and supports 0 <= offset < 0x200.
>
> Signed-off-by: Stefan Weil <sw@weilnetz.de>
Checked against the data sheet -- last documented register is at offset $1F0,
so correcting the offset check rather than the array length is the correct
fix.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-- PMM
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR read / write
2012-09-04 17:57 ` Peter Maydell
@ 2012-09-04 18:12 ` Stefan Weil
2012-09-04 18:16 ` Stefan Weil
0 siblings, 1 reply; 6+ messages in thread
From: Stefan Weil @ 2012-09-04 18:12 UTC (permalink / raw)
To: Peter Maydell; +Cc: Paul Brook, qemu-devel
Am 04.09.2012 19:57, schrieb Peter Maydell:
> On 4 September 2012 18:37, Stefan Weil <sw@weilnetz.de> wrote:
>> Report from smatch:
>>
>> mcf5206.c:384 m5206_mbar_readb(7) error: buffer overflow 'm5206_mbar_width' 128 <= 128
>> mcf5206.c:403 m5206_mbar_readw(8) error: buffer overflow 'm5206_mbar_width' 128 <= 128
>> mcf5206.c:427 m5206_mbar_readl(8) error: buffer overflow 'm5206_mbar_width' 128 <= 128
>> mcf5206.c:451 m5206_mbar_writeb(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
>> mcf5206.c:475 m5206_mbar_writew(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
>> mcf5206.c:503 m5206_mbar_writel(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
>>
>> m5206_mbar_width has 0x80 elements and supports 0 <= offset < 0x200.
>>
>> Signed-off-by: Stefan Weil <sw@weilnetz.de>
> Checked against the data sheet -- last documented register is at offset $1F0,
> so correcting the offset check rather than the array length is the correct
> fix.
>
> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
>
> -- PMM
Then m5206_mbar_width should be shortened to 124 elements
(0x1f0 / 4) _and_ the offset check needs a correction.
-- sw
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR read / write
2012-09-04 18:12 ` Stefan Weil
@ 2012-09-04 18:16 ` Stefan Weil
2012-09-04 18:31 ` Peter Maydell
0 siblings, 1 reply; 6+ messages in thread
From: Stefan Weil @ 2012-09-04 18:16 UTC (permalink / raw)
To: Peter Maydell; +Cc: Paul Brook, qemu-devel
Am 04.09.2012 20:12, schrieb Stefan Weil:
> Am 04.09.2012 19:57, schrieb Peter Maydell:
>> On 4 September 2012 18:37, Stefan Weil <sw@weilnetz.de> wrote:
>>> Report from smatch:
>>>
>>> mcf5206.c:384 m5206_mbar_readb(7) error: buffer overflow
>>> 'm5206_mbar_width' 128 <= 128
>>> mcf5206.c:403 m5206_mbar_readw(8) error: buffer overflow
>>> 'm5206_mbar_width' 128 <= 128
>>> mcf5206.c:427 m5206_mbar_readl(8) error: buffer overflow
>>> 'm5206_mbar_width' 128 <= 128
>>> mcf5206.c:451 m5206_mbar_writeb(9) error: buffer overflow
>>> 'm5206_mbar_width' 128 <= 128
>>> mcf5206.c:475 m5206_mbar_writew(9) error: buffer overflow
>>> 'm5206_mbar_width' 128 <= 128
>>> mcf5206.c:503 m5206_mbar_writel(9) error: buffer overflow
>>> 'm5206_mbar_width' 128 <= 128
>>>
>>> m5206_mbar_width has 0x80 elements and supports 0 <= offset < 0x200.
>>>
>>> Signed-off-by: Stefan Weil <sw@weilnetz.de>
>> Checked against the data sheet -- last documented register is at
>> offset $1F0,
>> so correcting the offset check rather than the array length is the
>> correct
>> fix.
>>
>> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
>>
>> -- PMM
>
> Then m5206_mbar_width should be shortened to 124 elements
> (0x1f0 / 4) _and_ the offset check needs a correction.
>
> -- sw
Sorry, 125 elements, of course. Or are there undocumented
registers at 0x1f4, 0x1f8 and 0x1fc?
- sw
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR read / write
2012-09-04 18:16 ` Stefan Weil
@ 2012-09-04 18:31 ` Peter Maydell
0 siblings, 0 replies; 6+ messages in thread
From: Peter Maydell @ 2012-09-04 18:31 UTC (permalink / raw)
To: Stefan Weil; +Cc: Paul Brook, qemu-devel
On 4 September 2012 19:16, Stefan Weil <sw@weilnetz.de> wrote:
> Am 04.09.2012 20:12, schrieb Stefan Weil:
>> Am 04.09.2012 19:57, schrieb Peter Maydell:
>>> Checked against the data sheet -- last documented register is at
>>> offset $1F0, so correcting the offset check rather than the array
>>> length is the correct fix.
>> Then m5206_mbar_width should be shortened to 124 elements
>> (0x1f0 / 4) _and_ the offset check needs a correction.
Why bother? The relevant offsets will hit the hw_error() cases
in m5206_mbar_read() and m5206_mbar_write() anyway, the same
as for the other cases where there are "holes" in the register
space. The only reason we're doing these checks here is to avoid
overrunning the width array...
> Sorry, 125 elements, of course. Or are there undocumented
> registers at 0x1f4, 0x1f8 and 0x1fc?
If there were, I wouldn't know, because they aren't documented :-)
-- PMM
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR read / write
2012-09-04 17:37 [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR read / write Stefan Weil
2012-09-04 17:57 ` Peter Maydell
@ 2012-09-10 13:18 ` Aurelien Jarno
1 sibling, 0 replies; 6+ messages in thread
From: Aurelien Jarno @ 2012-09-10 13:18 UTC (permalink / raw)
To: Stefan Weil; +Cc: Paul Brook, qemu-devel
On Tue, Sep 04, 2012 at 07:37:39PM +0200, Stefan Weil wrote:
> Report from smatch:
>
> mcf5206.c:384 m5206_mbar_readb(7) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> mcf5206.c:403 m5206_mbar_readw(8) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> mcf5206.c:427 m5206_mbar_readl(8) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> mcf5206.c:451 m5206_mbar_writeb(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> mcf5206.c:475 m5206_mbar_writew(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
> mcf5206.c:503 m5206_mbar_writel(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128
>
> m5206_mbar_width has 0x80 elements and supports 0 <= offset < 0x200.
>
> Signed-off-by: Stefan Weil <sw@weilnetz.de>
> ---
> hw/mcf5206.c | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/hw/mcf5206.c b/hw/mcf5206.c
> index 539b391..27753e2 100644
> --- a/hw/mcf5206.c
> +++ b/hw/mcf5206.c
> @@ -378,7 +378,7 @@ static uint32_t m5206_mbar_readb(void *opaque, target_phys_addr_t offset)
> {
> m5206_mbar_state *s = (m5206_mbar_state *)opaque;
> offset &= 0x3ff;
> - if (offset > 0x200) {
> + if (offset >= 0x200) {
> hw_error("Bad MBAR read offset 0x%x", (int)offset);
> }
> if (m5206_mbar_width[offset >> 2] > 1) {
> @@ -397,7 +397,7 @@ static uint32_t m5206_mbar_readw(void *opaque, target_phys_addr_t offset)
> m5206_mbar_state *s = (m5206_mbar_state *)opaque;
> int width;
> offset &= 0x3ff;
> - if (offset > 0x200) {
> + if (offset >= 0x200) {
> hw_error("Bad MBAR read offset 0x%x", (int)offset);
> }
> width = m5206_mbar_width[offset >> 2];
> @@ -421,7 +421,7 @@ static uint32_t m5206_mbar_readl(void *opaque, target_phys_addr_t offset)
> m5206_mbar_state *s = (m5206_mbar_state *)opaque;
> int width;
> offset &= 0x3ff;
> - if (offset > 0x200) {
> + if (offset >= 0x200) {
> hw_error("Bad MBAR read offset 0x%x", (int)offset);
> }
> width = m5206_mbar_width[offset >> 2];
> @@ -445,7 +445,7 @@ static void m5206_mbar_writeb(void *opaque, target_phys_addr_t offset,
> m5206_mbar_state *s = (m5206_mbar_state *)opaque;
> int width;
> offset &= 0x3ff;
> - if (offset > 0x200) {
> + if (offset >= 0x200) {
> hw_error("Bad MBAR write offset 0x%x", (int)offset);
> }
> width = m5206_mbar_width[offset >> 2];
> @@ -469,7 +469,7 @@ static void m5206_mbar_writew(void *opaque, target_phys_addr_t offset,
> m5206_mbar_state *s = (m5206_mbar_state *)opaque;
> int width;
> offset &= 0x3ff;
> - if (offset > 0x200) {
> + if (offset >= 0x200) {
> hw_error("Bad MBAR write offset 0x%x", (int)offset);
> }
> width = m5206_mbar_width[offset >> 2];
> @@ -497,7 +497,7 @@ static void m5206_mbar_writel(void *opaque, target_phys_addr_t offset,
> m5206_mbar_state *s = (m5206_mbar_state *)opaque;
> int width;
> offset &= 0x3ff;
> - if (offset > 0x200) {
> + if (offset >= 0x200) {
> hw_error("Bad MBAR write offset 0x%x", (int)offset);
> }
> width = m5206_mbar_width[offset >> 2];
> --
> 1.7.10
>
Thanks, applied.
--
Aurelien Jarno GPG: 1024D/F1BCDB73
aurelien@aurel32.net http://www.aurel32.net
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2012-09-10 13:18 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-09-04 17:37 [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR read / write Stefan Weil
2012-09-04 17:57 ` Peter Maydell
2012-09-04 18:12 ` Stefan Weil
2012-09-04 18:16 ` Stefan Weil
2012-09-04 18:31 ` Peter Maydell
2012-09-10 13:18 ` Aurelien Jarno
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.