From patchwork Wed Sep 23 01:55:35 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Gibson X-Patchwork-Id: 521569 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 78A471400A0 for ; Wed, 23 Sep 2015 12:18:12 +1000 (AEST) Received: from localhost ([::1]:44495 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZeZdK-0003UA-Fe for incoming@patchwork.ozlabs.org; Tue, 22 Sep 2015 22:18:10 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56869) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZeZHO-0007WR-2V for qemu-devel@nongnu.org; Tue, 22 Sep 2015 21:55:38 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZeZHK-00015Z-17 for qemu-devel@nongnu.org; Tue, 22 Sep 2015 21:55:28 -0400 Received: from ozlabs.org ([103.22.144.67]:41613) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZeZHJ-0000yN-Ej; Tue, 22 Sep 2015 21:55:25 -0400 Received: by ozlabs.org (Postfix, from userid 1007) id 32C52140D4D; Wed, 23 Sep 2015 11:55:22 +1000 (AEST) From: David Gibson To: peter.maydell@linaro.org Date: Wed, 23 Sep 2015 11:55:35 +1000 Message-Id: <1442973338-17771-34-git-send-email-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.4.3 In-Reply-To: <1442973338-17771-1-git-send-email-david@gibson.dropbear.id.au> References: <1442973338-17771-1-git-send-email-david@gibson.dropbear.id.au> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 103.22.144.67 Cc: Thomas Huth , mdroth@linux.vnet.ibm.com, aik@ozlabs.ru, qemu-devel@nongnu.org, agraf@suse.de, qemu-ppc@nongnu.org, David Gibson Subject: [Qemu-devel] [PULL 33/36] ppc/spapr: Fix buffer overflow in spapr_populate_drconf_memory() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org From: Thomas Huth The buffer that is allocated in spapr_populate_drconf_memory() is used for setting both, the "ibm,dynamic-memory" and the "ibm,associativity-lookup-arrays" property. However, only the size of the first one is taken into account when allocating the memory. So if the length of the second property is larger than the length of the first one, we run into a buffer overflow here! Fix it by taking the length of the second property into account, too. Fixes: "spapr: Support ibm,dynamic-reconfiguration-memory" patch Signed-off-by: Thomas Huth Reviewed-by: David Gibson Signed-off-by: David Gibson --- hw/ppc/spapr.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c index 59fc814..1333375 100644 --- a/hw/ppc/spapr.c +++ b/hw/ppc/spapr.c @@ -725,9 +725,12 @@ static int spapr_populate_drconf_memory(sPAPRMachineState *spapr, void *fdt) uint32_t *int_buf, *cur_index, buf_len; int nr_nodes = nb_numa_nodes ? nb_numa_nodes : 1; - /* Allocate enough buffer size to fit in ibm,dynamic-memory */ - buf_len = nr_lmbs * SPAPR_DR_LMB_LIST_ENTRY_SIZE * sizeof(uint32_t) + - sizeof(uint32_t); + /* + * Allocate enough buffer size to fit in ibm,dynamic-memory + * or ibm,associativity-lookup-arrays + */ + buf_len = MAX(nr_lmbs * SPAPR_DR_LMB_LIST_ENTRY_SIZE + 1, nr_nodes * 4 + 2) + * sizeof(uint32_t); cur_index = int_buf = g_malloc0(buf_len); offset = fdt_add_subnode(fdt, 0, "ibm,dynamic-reconfiguration-memory");