| Message ID | e65b2682-ef5b-4445-9b23-87719b2ccba6@CH1EHSMHS027.ehs.local |
|---|---|
| State | New |
| Headers | show |
On Fri, Jan 25, 2013 at 05:58:38PM -0800, Peter Crosthwaite wrote: > Default to moving back to the IDLE state after the COLLECTING_DATA > state. For a well behaved guest this patch has no consequence, but > A bad guest could crash QEMU by using one of the erase commands > followed by a longer than 5 byte argument (undefined behaviour). Applied it, thanks > > Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> > --- > hw/m25p80.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/hw/m25p80.c b/hw/m25p80.c > index ad9e800..16d4880 100644 > --- a/hw/m25p80.c > +++ b/hw/m25p80.c > @@ -359,6 +359,8 @@ static void complete_collecting_data(Flash *s) > s->cur_addr |= s->data[1] << 8; > s->cur_addr |= s->data[2]; > > + s->state = STATE_IDLE; > + > switch (s->cmd_in_progress) { > case DPP: > case QPP: > -- > 1.7.12.1.396.g16eed7c > >
diff --git a/hw/m25p80.c b/hw/m25p80.c index ad9e800..16d4880 100644 --- a/hw/m25p80.c +++ b/hw/m25p80.c @@ -359,6 +359,8 @@ static void complete_collecting_data(Flash *s) s->cur_addr |= s->data[1] << 8; s->cur_addr |= s->data[2]; + s->state = STATE_IDLE; + switch (s->cmd_in_progress) { case DPP: case QPP:
Default to moving back to the IDLE state after the COLLECTING_DATA state. For a well behaved guest this patch has no consequence, but A bad guest could crash QEMU by using one of the erase commands followed by a longer than 5 byte argument (undefined behaviour). Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> --- hw/m25p80.c | 2 ++ 1 file changed, 2 insertions(+)