Patchwork cadence_uart: Fix buffer overflow

login
register
mail settings
Submitter Stefan Weil
Date Sept. 1, 2012, 9:12 a.m.
Message ID <1346490743-9652-1-git-send-email-sw@weilnetz.de>
Download mbox | patch
Permalink /patch/181127/
State Accepted
Headers show

Comments

Stefan Weil - Sept. 1, 2012, 9:12 a.m.
Report from smatch:
hw/cadence_uart.c:413 uart_read(13) error: buffer overflow 's->r' 18 <= 18

This fixes read access to s->r[R_MAX] which is behind the limits of s->r.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
---
 hw/cadence_uart.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Peter A. G. Crosthwaite - Sept. 4, 2012, 4:40 a.m.
Thanks Stefan,

Please enqueue to Trivial.

Regards,
Peter

On Sat, Sep 1, 2012 at 7:12 PM, Stefan Weil <sw@weilnetz.de> wrote:
> Report from smatch:
> hw/cadence_uart.c:413 uart_read(13) error: buffer overflow 's->r' 18 <= 18
>
> This fixes read access to s->r[R_MAX] which is behind the limits of s->r.
>
> Signed-off-by: Stefan Weil <sw@weilnetz.de>

Reviewed-by: Peter Crosthwaite <peter.crosthwaite@petalogix.com>

> ---
>  hw/cadence_uart.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/cadence_uart.c b/hw/cadence_uart.c
> index d98e531..f8afc4e 100644
> --- a/hw/cadence_uart.c
> +++ b/hw/cadence_uart.c
> @@ -404,7 +404,7 @@ static uint64_t uart_read(void *opaque, target_phys_addr_t offset,
>      uint32_t c = 0;
>
>      offset >>= 2;
> -    if (offset > R_MAX) {
> +    if (offset >= R_MAX) {
>          return 0;
>      } else if (offset == R_TX_RX) {
>          uart_read_rx_fifo(s, &c);
> --
> 1.7.10
>
Stefan Hajnoczi - Sept. 22, 2012, 3:30 p.m.
On Sat, Sep 01, 2012 at 11:12:23AM +0200, Stefan Weil wrote:
> Report from smatch:
> hw/cadence_uart.c:413 uart_read(13) error: buffer overflow 's->r' 18 <= 18
> 
> This fixes read access to s->r[R_MAX] which is behind the limits of s->r.
> 
> Signed-off-by: Stefan Weil <sw@weilnetz.de>
> ---
>  hw/cadence_uart.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Thanks, applied to the trivial patches tree:
https://github.com/stefanha/qemu/commits/trivial-patches

Stefan

Patch

diff --git a/hw/cadence_uart.c b/hw/cadence_uart.c
index d98e531..f8afc4e 100644
--- a/hw/cadence_uart.c
+++ b/hw/cadence_uart.c
@@ -404,7 +404,7 @@  static uint64_t uart_read(void *opaque, target_phys_addr_t offset,
     uint32_t c = 0;
 
     offset >>= 2;
-    if (offset > R_MAX) {
+    if (offset >= R_MAX) {
         return 0;
     } else if (offset == R_TX_RX) {
         uart_read_rx_fifo(s, &c);