From patchwork Tue Jun 19 01:42:22 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Michael Roth <mdroth@linux.vnet.ibm.com>
X-Patchwork-Id: 931311
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=nongnu.org
	(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;
	envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=linux.vnet.ibm.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="pi3eDgg8"; dkim-atps=neutral
Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 418srp3rwnz9s1R
	for <incoming@patchwork.ozlabs.org>;
	Tue, 19 Jun 2018 12:50:18 +1000 (AEST)
Received: from localhost ([::1]:38759 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)
	id 1fV6im-0001Tg-4L
	for incoming@patchwork.ozlabs.org; Mon, 18 Jun 2018 22:50:16 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:46416)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <flukshun@gmail.com>) id 1fV5ik-0002MV-3T
	for qemu-devel@nongnu.org; Mon, 18 Jun 2018 21:46:11 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <flukshun@gmail.com>) id 1fV5ij-0000Gb-7u
	for qemu-devel@nongnu.org; Mon, 18 Jun 2018 21:46:10 -0400
Received: from mail-oi0-x236.google.com ([2607:f8b0:4003:c06::236]:42973)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <flukshun@gmail.com>)
	id 1fV5ij-0000GQ-2B; Mon, 18 Jun 2018 21:46:09 -0400
Received: by mail-oi0-x236.google.com with SMTP id k190-v6so16695623oib.9;
	Mon, 18 Jun 2018 18:46:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=sender:from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=4R6ARzY8+8VwJMFZpP/OCG0IArvc4QNiNxh6KffRUaU=;
	b=pi3eDgg8XC8wdHFaL1XuVYLw8Kt79OpqcWhaIyLWJdZc46aY2McG9KIw27lMIB3cUO
	ujcqLzZPU8mDAYUQETKs5dpqH5YvphKknp633DrG50PIMpAxDU3g/ubrXkZ63L/wmfMs
	4LrqW78J40ZeVZDLePJbFQEr9r7nnzrY+jM66/8AaY0669PkCtWOi/32yn6tpNGwEsQl
	ck/NugDMJFjwfaZLucD6f3m0RIXAjENFB+2npHNmdUfrv32ff5Rk0oviIY2UuGVOXkRB
	y8INQW5HF5JRJ+4BJuFYaTcT3rkFhaWMqatsPHEQ7lEGbZdwm4UNoYIYn7KEVkmvqq4V
	CRIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
	:in-reply-to:references:mime-version:content-transfer-encoding;
	bh=4R6ARzY8+8VwJMFZpP/OCG0IArvc4QNiNxh6KffRUaU=;
	b=fS28fsNMDzCxroYFKx9Td1+kM28FJRNJkBuSeZ+JI0K8UtrQliXVvFpviG1Q9Oka3h
	TWSHlyq9Wb7Vs99Nsmi/lLHdFUy5ylYiWLohUTawl8RUvu69OLadlG0RTZ30T1GWeHCs
	HKPVCfM8xgApMhzjxEGg/0y/1YKk4BYaw6TZKNywvCh8uSVJuEIFFJfWSaUI+EowZ3F0
	+6UMPX8brVjD3cYZth+MIvhz28CryQd5ter2SbOJwiVrWI2N91n9+kHWe1OFO/FfSWg4
	0EzV03HnVs5VnSC9Oi1rbbYzrKZIG67HM95ymHMmgzEvzSw/S+33RGeJx6tXv/SwZGnn
	XmDA==
X-Gm-Message-State: APt69E0XzBNx8GfVSLNIDMqEbNIbpULeujZX0wBSEMYbs5nYzJIM2q4M
	8PktgbGUD43x8KKTqL65jrXAsyh7vQc=
X-Google-Smtp-Source: 
 ADUXVKIBzCUVx85Rkv2GGZerJ5UIiN+C70qhGUqd/gVpSsmjGpuJafJrBm8ujsDyLIQIXPBZwIQQ3Q==
X-Received: by 2002:aca:b782:: with SMTP id
	h124-v6mr8713245oif.7.1529372767877;
	Mon, 18 Jun 2018 18:46:07 -0700 (PDT)
Received: from localhost ([2600:1700:70:e488:b0ee:9bda:ee6f:91be])
	by smtp.gmail.com with ESMTPSA id
	q7-v6sm15882369otq.39.2018.06.18.18.46.06
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Mon, 18 Jun 2018 18:46:06 -0700 (PDT)
From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Date: Mon, 18 Jun 2018 20:42:22 -0500
Message-Id: <20180619014319.28272-57-mdroth@linux.vnet.ibm.com>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20180619014319.28272-1-mdroth@linux.vnet.ibm.com>
References: <20180619014319.28272-1-mdroth@linux.vnet.ibm.com>
MIME-Version: 1.0
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 2607:f8b0:4003:c06::236
Subject: [Qemu-devel] [PATCH 056/113] hw/block/pflash_cfi: fix off-by-one
	error
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Kevin Wolf <kwolf@redhat.com>, qemu-stable@nongnu.org, =?utf-8?q?Phili?=
	=?utf-8?q?ppe_Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

ASAN reported:

    hw/block/pflash_cfi02.c:245:33: runtime error: index 82 out of bounds for type 'uint8_t [82]'

Since the 'cfi_len' member is not used, remove it to keep the code safer.

Cc: qemu-stable@nongnu.org
Reported-by: AddressSanitizer
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 07c13a71721d9f8c690b66752964e254af247475)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/block/pflash_cfi01.c | 10 ++++------
 hw/block/pflash_cfi02.c |  9 ++++-----
 2 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/hw/block/pflash_cfi01.c b/hw/block/pflash_cfi01.c
index 1113ab1ccf..2e8284001d 100644
--- a/hw/block/pflash_cfi01.c
+++ b/hw/block/pflash_cfi01.c
@@ -90,7 +90,6 @@ struct pflash_t {
     uint16_t ident1;
     uint16_t ident2;
     uint16_t ident3;
-    uint8_t cfi_len;
     uint8_t cfi_table[0x52];
     uint64_t counter;
     unsigned int writeblock_size;
@@ -153,7 +152,7 @@ static uint32_t pflash_cfi_query(pflash_t *pfl, hwaddr offset)
     boff = offset >> (ctz32(pfl->bank_width) +
                       ctz32(pfl->max_device_width) - ctz32(pfl->device_width));
 
-    if (boff > pfl->cfi_len) {
+    if (boff >= sizeof(pfl->cfi_table)) {
         return 0;
     }
     /* Now we will construct the CFI response generated by a single
@@ -385,10 +384,10 @@ static uint32_t pflash_read (pflash_t *pfl, hwaddr offset,
                 boff = boff >> 2;
             }
 
-            if (boff > pfl->cfi_len) {
-                ret = 0;
-            } else {
+            if (boff < sizeof(pfl->cfi_table)) {
                 ret = pfl->cfi_table[boff];
+            } else {
+                ret = 0;
             }
         } else {
             /* If we have a read larger than the bank_width, combine multiple
@@ -791,7 +790,6 @@ static void pflash_cfi01_realize(DeviceState *dev, Error **errp)
     pfl->cmd = 0;
     pfl->status = 0;
     /* Hardcoded CFI table */
-    pfl->cfi_len = 0x52;
     /* Standard "QRY" string */
     pfl->cfi_table[0x10] = 'Q';
     pfl->cfi_table[0x11] = 'R';
diff --git a/hw/block/pflash_cfi02.c b/hw/block/pflash_cfi02.c
index c81ddd3a99..75d1ae1026 100644
--- a/hw/block/pflash_cfi02.c
+++ b/hw/block/pflash_cfi02.c
@@ -83,7 +83,6 @@ struct pflash_t {
     uint16_t ident3;
     uint16_t unlock_addr0;
     uint16_t unlock_addr1;
-    uint8_t cfi_len;
     uint8_t cfi_table[0x52];
     QEMUTimer *timer;
     /* The device replicates the flash memory across its memory space.  Emulate
@@ -235,10 +234,11 @@ static uint32_t pflash_read (pflash_t *pfl, hwaddr offset,
         break;
     case 0x98:
         /* CFI query mode */
-        if (boff > pfl->cfi_len)
-            ret = 0;
-        else
+        if (boff < sizeof(pfl->cfi_table)) {
             ret = pfl->cfi_table[boff];
+        } else {
+            ret = 0;
+        }
         break;
     }
 
@@ -663,7 +663,6 @@ static void pflash_cfi02_realize(DeviceState *dev, Error **errp)
     pfl->cmd = 0;
     pfl->status = 0;
     /* Hardcoded CFI table (mostly from SG29 Spansion flash) */
-    pfl->cfi_len = 0x52;
     /* Standard "QRY" string */
     pfl->cfi_table[0x10] = 'Q';
     pfl->cfi_table[0x11] = 'R';