| Message ID | 1408432724-15676-1-git-send-email-arei.gonglei@huawei.com |
|---|---|
| State | New |
| Headers | show |
On Tue, 2014-08-19 at 15:18 +0800, arei.gonglei@huawei.com wrote: > From: Gonglei <arei.gonglei@huawei.com> > > When 'bsel == ACPI_PCIHP_MAX_HOTPLUG_BUS', the > s->acpi_pcihp_pci_status[bsel] array will out of bounds. I would change the commit message to something like "Prevent out-of-bounds array access on acpi_pcihp_pci_status. Other than that, it looks OK to me. Thanks, Marcel > > Add check for this. > > Signed-off-by: Gonglei <arei.gonglei@huawei.com> > --- > hw/acpi/pcihp.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c > index fae663a..34dedf1 100644 > --- a/hw/acpi/pcihp.c > +++ b/hw/acpi/pcihp.c > @@ -231,7 +231,7 @@ static uint64_t pci_read(void *opaque, hwaddr addr, unsigned int size) > uint32_t val = 0; > int bsel = s->hotplug_select; > > - if (bsel < 0 || bsel > ACPI_PCIHP_MAX_HOTPLUG_BUS) { > + if (bsel < 0 || bsel >= ACPI_PCIHP_MAX_HOTPLUG_BUS) { > return 0; > } >
On Tue, Aug 19, 2014 at 5:18 PM, <arei.gonglei@huawei.com> wrote: > From: Gonglei <arei.gonglei@huawei.com> > > When 'bsel == ACPI_PCIHP_MAX_HOTPLUG_BUS', the > s->acpi_pcihp_pci_status[bsel] array will out of bounds. > > Add check for this. > > Signed-off-by: Gonglei <arei.gonglei@huawei.com> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> > --- > hw/acpi/pcihp.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c > index fae663a..34dedf1 100644 > --- a/hw/acpi/pcihp.c > +++ b/hw/acpi/pcihp.c > @@ -231,7 +231,7 @@ static uint64_t pci_read(void *opaque, hwaddr addr, unsigned int size) > uint32_t val = 0; > int bsel = s->hotplug_select; > > - if (bsel < 0 || bsel > ACPI_PCIHP_MAX_HOTPLUG_BUS) { > + if (bsel < 0 || bsel >= ACPI_PCIHP_MAX_HOTPLUG_BUS) { > return 0; > } > > -- > 1.7.12.4 > > >
> -----Original Message----- > From: Marcel Apfelbaum [mailto:marcel.apfelbaum@gmail.com] > Sent: Tuesday, August 19, 2014 11:00 PM > To: Gonglei (Arei) > Cc: qemu-devel@nongnu.org; Huangweidong (C); mst@redhat.com > Subject: Re: [Qemu-devel] [PATCH] pcihp: fix possible array out of bounds > > On Tue, 2014-08-19 at 15:18 +0800, arei.gonglei@huawei.com wrote: > > From: Gonglei <arei.gonglei@huawei.com> > > > > When 'bsel == ACPI_PCIHP_MAX_HOTPLUG_BUS', the > > s->acpi_pcihp_pci_status[bsel] array will out of bounds. > I would change the commit message to something like > "Prevent out-of-bounds array access on acpi_pcihp_pci_status. > > Other than that, it looks OK to me. > Thanks, > Marcel > OK, it's better, thanks. V2 will be posted. Best regards, -Gonglei > > > > Add check for this. > > > > Signed-off-by: Gonglei <arei.gonglei@huawei.com> > > --- > > hw/acpi/pcihp.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c > > index fae663a..34dedf1 100644 > > --- a/hw/acpi/pcihp.c > > +++ b/hw/acpi/pcihp.c > > @@ -231,7 +231,7 @@ static uint64_t pci_read(void *opaque, hwaddr addr, > unsigned int size) > > uint32_t val = 0; > > int bsel = s->hotplug_select; > > > > - if (bsel < 0 || bsel > ACPI_PCIHP_MAX_HOTPLUG_BUS) { > > + if (bsel < 0 || bsel >= ACPI_PCIHP_MAX_HOTPLUG_BUS) { > > return 0; > > } > > > >
> -----Original Message----- > From: peter.crosthwaite@petalogix.com > [mailto:peter.crosthwaite@petalogix.com] On Behalf Of Peter Crosthwaite > Sent: Tuesday, August 19, 2014 11:12 PM > To: Gonglei (Arei) > Cc: qemu-devel@nongnu.org Developers; Huangweidong (C); Michael S. Tsirkin > Subject: Re: [Qemu-devel] [PATCH] pcihp: fix possible array out of bounds > > On Tue, Aug 19, 2014 at 5:18 PM, <arei.gonglei@huawei.com> wrote: > > From: Gonglei <arei.gonglei@huawei.com> > > > > When 'bsel == ACPI_PCIHP_MAX_HOTPLUG_BUS', the > > s->acpi_pcihp_pci_status[bsel] array will out of bounds. > > > > Add check for this. > > > > Signed-off-by: Gonglei <arei.gonglei@huawei.com> > > Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> > Thanks. Best regards, -Gonglei > > --- > > hw/acpi/pcihp.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c > > index fae663a..34dedf1 100644 > > --- a/hw/acpi/pcihp.c > > +++ b/hw/acpi/pcihp.c > > @@ -231,7 +231,7 @@ static uint64_t pci_read(void *opaque, hwaddr addr, > unsigned int size) > > uint32_t val = 0; > > int bsel = s->hotplug_select; > > > > - if (bsel < 0 || bsel > ACPI_PCIHP_MAX_HOTPLUG_BUS) { > > + if (bsel < 0 || bsel >= ACPI_PCIHP_MAX_HOTPLUG_BUS) { > > return 0; > > } > > > > -- > > 1.7.12.4 > > > > > >
diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c index fae663a..34dedf1 100644 --- a/hw/acpi/pcihp.c +++ b/hw/acpi/pcihp.c @@ -231,7 +231,7 @@ static uint64_t pci_read(void *opaque, hwaddr addr, unsigned int size) uint32_t val = 0; int bsel = s->hotplug_select; - if (bsel < 0 || bsel > ACPI_PCIHP_MAX_HOTPLUG_BUS) { + if (bsel < 0 || bsel >= ACPI_PCIHP_MAX_HOTPLUG_BUS) { return 0; }