| Message ID | 20230404074506.112615-1-jiangfeng@kylinos.cn |
|---|---|
| State | New |
| Headers | show |
| Series | exynos: Fix out-of-bounds access in exynos4210_gcomp_find | expand |
On Tue, 4 Apr 2023 at 08:45, Feng Jiang <jiangfeng@kylinos.cn> wrote: > > When 'res' equals -1, the array 's->g_timer.reg.comp[]' is accessed > out of bounds. > > Signed-off-by: Feng Jiang <jiangfeng@kylinos.cn> > --- > hw/timer/exynos4210_mct.c | 13 ++++++++----- > 1 file changed, 8 insertions(+), 5 deletions(-) Only happens if you change the source code to enable the debug printfs though, which isn't the default. I'll tweak the commit message to make that clearer. Applied to target-arm.next for 8.1, thanks. -- PMM
On Tue, 2023-04-11 at 14:02 +0100, Peter Maydell wrote: > On Tue, 4 Apr 2023 at 08:45, Feng Jiang <jiangfeng@kylinos.cn> wrote: > > > > When 'res' equals -1, the array 's->g_timer.reg.comp[]' is accessed > > out of bounds. > > > > Signed-off-by: Feng Jiang <jiangfeng@kylinos.cn> > > --- > > hw/timer/exynos4210_mct.c | 13 ++++++++----- > > 1 file changed, 8 insertions(+), 5 deletions(-) > > Only happens if you change the source code to enable the debug > printfs though, which isn't the default. I'll tweak the > commit message to make that clearer. > > Applied to target-arm.next for 8.1, thanks. > > -- PMM > Hi Peter, Thanks very much for your review! Next time I will write the commit message more clearly and in detail. Best regards, Feng
diff --git a/hw/timer/exynos4210_mct.c b/hw/timer/exynos4210_mct.c index c17b247da3..446bbd2b96 100644 --- a/hw/timer/exynos4210_mct.c +++ b/hw/timer/exynos4210_mct.c @@ -480,11 +480,14 @@ static int32_t exynos4210_gcomp_find(Exynos4210MCTState *s) res = min_comp_i; } - DPRINTF("found comparator %d: comp 0x%llx distance 0x%llx, gfrc 0x%llx\n", - res, - s->g_timer.reg.comp[res], - distance_min, - gfrc); + if (res >= 0) { + DPRINTF("found comparator %d: " + "comp 0x%llx distance 0x%llx, gfrc 0x%llx\n", + res, + s->g_timer.reg.comp[res], + distance_min, + gfrc); + } return res; }
When 'res' equals -1, the array 's->g_timer.reg.comp[]' is accessed out of bounds. Signed-off-by: Feng Jiang <jiangfeng@kylinos.cn> --- hw/timer/exynos4210_mct.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-)