From patchwork Wed Aug 27 17:36:19 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Roth X-Patchwork-Id: 383566 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 61469140097 for ; Thu, 28 Aug 2014 06:49:09 +1000 (EST) Received: from localhost ([::1]:33263 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XMk9T-00069S-LO for incoming@patchwork.ozlabs.org; Wed, 27 Aug 2014 16:49:07 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43134) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XMk8t-0005NM-KH for qemu-devel@nongnu.org; Wed, 27 Aug 2014 16:48:38 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XMk8k-0003J3-GN for qemu-devel@nongnu.org; Wed, 27 Aug 2014 16:48:31 -0400 Received: from e7.ny.us.ibm.com ([32.97.182.137]:58312) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XMk8j-0003Ic-Vp for qemu-devel@nongnu.org; Wed, 27 Aug 2014 16:48:22 -0400 Received: from /spool/local by e7.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 27 Aug 2014 13:39:55 -0400 Received: from d01dlp01.pok.ibm.com (9.56.250.166) by e7.ny.us.ibm.com (192.168.1.107) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 27 Aug 2014 13:38:30 -0400 Received: from b01cxnp23034.gho.pok.ibm.com (b01cxnp23034.gho.pok.ibm.com [9.57.198.29]) by d01dlp01.pok.ibm.com (Postfix) with ESMTP id A181A38C806A; Wed, 27 Aug 2014 13:37:34 -0400 (EDT) Received: from d01av03.pok.ibm.com (d01av03.pok.ibm.com [9.56.224.217]) by b01cxnp23034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id s7RHbYqe6095326; Wed, 27 Aug 2014 17:37:34 GMT Received: from d01av03.pok.ibm.com (localhost [127.0.0.1]) by d01av03.pok.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id s7RHbYXU006090; Wed, 27 Aug 2014 13:37:34 -0400 Received: from localhost ([9.80.81.153]) by d01av03.pok.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP id s7RHbXNK005991; Wed, 27 Aug 2014 13:37:34 -0400 From: Michael Roth To: qemu-devel@nongnu.org Date: Wed, 27 Aug 2014 12:36:19 -0500 Message-Id: <1409160982-16389-23-git-send-email-mdroth@linux.vnet.ibm.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1409160982-16389-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1409160982-16389-1-git-send-email-mdroth@linux.vnet.ibm.com> X-TM-AS-MML: disable X-Content-Scanned: Fidelis XPS MAILER x-cbid: 14082717-5806-0000-0000-00000050E681 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 32.97.182.137 Cc: qemu-stable@nongnu.org Subject: [Qemu-devel] [PATCH 22/25] pcihp: fix possible array out of bounds X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org From: Gonglei Prevent out-of-bounds array access on acpi_pcihp_pci_status. Signed-off-by: Gonglei Reviewed-by: Peter Crosthwaite Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin Cc: qemu-stable@nongnu.org Reviewed-by: Marcel Apfelbaum (cherry picked from commit fa365d7cd11185237471823a5a33d36765454e16) Signed-off-by: Michael Roth --- hw/acpi/pcihp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c index fae663a..34dedf1 100644 --- a/hw/acpi/pcihp.c +++ b/hw/acpi/pcihp.c @@ -231,7 +231,7 @@ static uint64_t pci_read(void *opaque, hwaddr addr, unsigned int size) uint32_t val = 0; int bsel = s->hotplug_select; - if (bsel < 0 || bsel > ACPI_PCIHP_MAX_HOTPLUG_BUS) { + if (bsel < 0 || bsel >= ACPI_PCIHP_MAX_HOTPLUG_BUS) { return 0; }