qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR read /

From: Stefan Weil
Subject: Re: [Qemu-devel] [PATCH] hw/mcf5206: Fix buffer overflow for MBAR read / write
Date: Tue, 04 Sep 2012 20:16:06 +0200
User-agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20120714 Thunderbird/14.0 
Am 04.09.2012 20:12, schrieb Stefan Weil:

Am 04.09.2012 19:57, schrieb Peter Maydell:

On 4 September 2012 18:37, Stefan Weil <address@hidden> wrote:

Report from smatch:
mcf5206.c:384 m5206_mbar_readb(7) error: buffer overflow 'm5206_mbar_width' 128 <= 128 mcf5206.c:403 m5206_mbar_readw(8) error: buffer overflow 'm5206_mbar_width' 128 <= 128 mcf5206.c:427 m5206_mbar_readl(8) error: buffer overflow 'm5206_mbar_width' 128 <= 128 mcf5206.c:451 m5206_mbar_writeb(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128 mcf5206.c:475 m5206_mbar_writew(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128 mcf5206.c:503 m5206_mbar_writel(9) error: buffer overflow 'm5206_mbar_width' 128 <= 128 

m5206_mbar_width has 0x80 elements and supports 0 <= offset < 0x200.

Signed-off-by: Stefan Weil <address@hidden>
Checked against the data sheet -- last documented register is at offset $1F0, so correcting the offset check rather than the array length is the correct 
fix.

Reviewed-by: Peter Maydell <address@hidden>

-- PMM


Then m5206_mbar_width should be shortened to 124 elements
(0x1f0 / 4) _and_ the offset check needs a correction.

-- sw



Sorry, 125 elements, of course. Or are there undocumented
registers at 0x1f4, 0x1f8 and 0x1fc?

- sw
reply via email to
[Prev in Thread] Current Thread [Next in Thread]