* [RFC] Fix rocker device null pointer crash. qemu config r->fp_ports with "-device rocker, len-ports=10" when guest config port larget then r->fp_ports(10) r->fp_port[port] is null-pointer, qemu will crash null-pointer Reported-by: chenzhe <chenzhe@huawei.com>
@ 2021-07-21 11:39 NAME
2021-07-21 14:35 ` Peter Maydell
0 siblings, 1 reply; 2+ messages in thread
From: NAME @ 2021-07-21 11:39 UTC (permalink / raw)
To: jiri, jasowang; +Cc: qemu-devel
From: sohu0106 <sohu0106@126.com>
Signed-off-by: sohu0106 <sohu0106@126.com>
---
hw/net/rocker/rocker.c | 10 +++++-----
hw/net/rocker/rocker_fp.c | 5 +++--
hw/net/rocker/rocker_fp.h | 2 +-
3 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
index 31f2340fb9..431af3982f 100644
--- a/hw/net/rocker/rocker.c
+++ b/hw/net/rocker/rocker.c
@@ -174,7 +174,7 @@ static int tx_consume(Rocker *r, DescInfo *info)
}
pport = rocker_get_pport_by_tx_ring(r, desc_get_ring(info));
- if (!fp_port_from_pport(pport, &port)) {
+ if (!fp_port_from_pport(r, pport, &port)) {
return -ROCKER_EINVAL;
}
@@ -287,7 +287,7 @@ static int cmd_get_port_settings(Rocker *r,
}
pport = rocker_tlv_get_le32(tlvs[ROCKER_TLV_CMD_PORT_SETTINGS_PPORT]);
- if (!fp_port_from_pport(pport, &port)) {
+ if (!fp_port_from_pport(r, pport, &port)) {
return -ROCKER_EINVAL;
}
fp_port = r->fp_port[port];
@@ -357,7 +357,7 @@ static int cmd_set_port_settings(Rocker *r,
}
pport = rocker_tlv_get_le32(tlvs[ROCKER_TLV_CMD_PORT_SETTINGS_PPORT]);
- if (!fp_port_from_pport(pport, &port)) {
+ if (!fp_port_from_pport(r, pport, &port)) {
return -ROCKER_EINVAL;
}
fp_port = r->fp_port[port];
@@ -538,7 +538,7 @@ int rocker_event_mac_vlan_seen(Rocker *r, uint32_t pport, uint8_t *addr,
int pos;
int err;
- if (!fp_port_from_pport(pport, &port)) {
+ if (!fp_port_from_pport(r, pport, &port)) {
return -ROCKER_EINVAL;
}
fp_port = r->fp_port[port];
@@ -690,7 +690,7 @@ int rocker_port_eg(Rocker *r, uint32_t pport,
FpPort *fp_port;
uint32_t port;
- if (!fp_port_from_pport(pport, &port)) {
+ if (!fp_port_from_pport(r, pport, &port)) {
return -ROCKER_EINVAL;
}
diff --git a/hw/net/rocker/rocker_fp.c b/hw/net/rocker/rocker_fp.c
index cbeed65bd5..45b5020106 100644
--- a/hw/net/rocker/rocker_fp.c
+++ b/hw/net/rocker/rocker_fp.c
@@ -108,9 +108,10 @@ int fp_port_set_settings(FpPort *port, uint32_t speed,
return ROCKER_OK;
}
-bool fp_port_from_pport(uint32_t pport, uint32_t *port)
+bool fp_port_from_pport(Rocker *r, uint32_t pport, uint32_t *port)
{
- if (pport < 1 || pport > ROCKER_FP_PORTS_MAX) {
+ if (pport < 1 || pport > ROCKER_FP_PORTS_MAX ||
+ pport >= rocker_fp_ports(r)) {
return false;
}
*port = pport - 1;
diff --git a/hw/net/rocker/rocker_fp.h b/hw/net/rocker/rocker_fp.h
index 7ff57aac01..bd1c2588f6 100644
--- a/hw/net/rocker/rocker_fp.h
+++ b/hw/net/rocker/rocker_fp.h
@@ -37,7 +37,7 @@ int fp_port_get_settings(FpPort *port, uint32_t *speed,
uint8_t *duplex, uint8_t *autoneg);
int fp_port_set_settings(FpPort *port, uint32_t speed,
uint8_t duplex, uint8_t autoneg);
-bool fp_port_from_pport(uint32_t pport, uint32_t *port);
+bool fp_port_from_pport(Rocker *r, uint32_t pport, uint32_t *port);
World *fp_port_get_world(FpPort *port);
void fp_port_set_world(FpPort *port, World *world);
bool fp_port_check_world(FpPort *port, World *world);
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [RFC] Fix rocker device null pointer crash. qemu config r->fp_ports with "-device rocker, len-ports=10" when guest config port larget then r->fp_ports(10) r->fp_port[port] is null-pointer, qemu will crash null-pointer Reported-by: chenzhe <chenzhe@huawei.com>
2021-07-21 11:39 [RFC] Fix rocker device null pointer crash. qemu config r->fp_ports with "-device rocker, len-ports=10" when guest config port larget then r->fp_ports(10) r->fp_port[port] is null-pointer, qemu will crash null-pointer Reported-by: chenzhe <chenzhe@huawei.com> NAME
@ 2021-07-21 14:35 ` Peter Maydell
0 siblings, 0 replies; 2+ messages in thread
From: Peter Maydell @ 2021-07-21 14:35 UTC (permalink / raw)
To: NAME; +Cc: Jason Wang, Jiří Pírko, QEMU Developers
On Wed, 21 Jul 2021 at 15:23, NAME <sohu0106@126.com> wrote:
>
> From: sohu0106 <sohu0106@126.com>
Hi; you seem to have a misformatted commit message here --
everything has ended up in the Subject line. The first
line of the commit should be a short summary, usually
preceded by an indication of the area of the code
being fixed, like "hw/net/rocker:". Then there should be
a blank line, followed by the more detailed description
of the change. You can look at the git commit logs for
existing commits to get the idea.
> Signed-off-by: sohu0106 <sohu0106@126.com>
We request that Signed-off-by: lines are your full real
name, not a pseudonym or email address; this is because you
are stating with this line that it's legally OK for this
patch to go into QEMU.
You might like to read
https://wiki.qemu.org/Contribute/SubmitAPatch
if you haven't found it already.
> diff --git a/hw/net/rocker/rocker_fp.c b/hw/net/rocker/rocker_fp.c
> index cbeed65bd5..45b5020106 100644
> --- a/hw/net/rocker/rocker_fp.c
> +++ b/hw/net/rocker/rocker_fp.c
> @@ -108,9 +108,10 @@ int fp_port_set_settings(FpPort *port, uint32_t speed,
> return ROCKER_OK;
> }
>
> -bool fp_port_from_pport(uint32_t pport, uint32_t *port)
> +bool fp_port_from_pport(Rocker *r, uint32_t pport, uint32_t *port)
> {
> - if (pport < 1 || pport > ROCKER_FP_PORTS_MAX) {
> + if (pport < 1 || pport > ROCKER_FP_PORTS_MAX ||
> + pport >= rocker_fp_ports(r)) {
> return false;
You don't need to keep the check against ROCKER_FP_PORTS_MAX,
because the realize method will ensure that r->fp_ports is
not larger than ROCKER_FP_PORTS_MAX, and so the single check
against "pport >= rocker_fp_ports(r)" covers that case.
thanks
-- PMM
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-07-21 14:37 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-21 11:39 [RFC] Fix rocker device null pointer crash. qemu config r->fp_ports with "-device rocker, len-ports=10" when guest config port larget then r->fp_ports(10) r->fp_port[port] is null-pointer, qemu will crash null-pointer Reported-by: chenzhe <chenzhe@huawei.com> NAME
2021-07-21 14:35 ` Peter Maydell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.