[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 5/7] hw/rdma: Fix possible out of bounds access to r
From: |
Marcel Apfelbaum |
Subject: |
[Qemu-devel] [PATCH 5/7] hw/rdma: Fix possible out of bounds access to regs array |
Date: |
Mon, 30 Apr 2018 23:02:21 +0300 |
From: Yuval Shaia <address@hidden>
Coverity (CID1390589, CID1390608).
Array size is RDMA_BAR1_REGS_SIZE, let's make sure the given address is
in range.
While there also:
1. Adjust the size of this bar to reasonable size
2. Report the size of the array with sizeof(array)
Reported-by: Peter Maydell <address@hidden>
Signed-off-by: Yuval Shaia <address@hidden>
Reviewed-by: Marcel Apfelbaum <address@hidden>
---
hw/rdma/vmw/pvrdma.h | 6 +++---
hw/rdma/vmw/pvrdma_main.c | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/hw/rdma/vmw/pvrdma.h b/hw/rdma/vmw/pvrdma.h
index 8c173cb824..0b46dc5a9b 100644
--- a/hw/rdma/vmw/pvrdma.h
+++ b/hw/rdma/vmw/pvrdma.h
@@ -31,7 +31,7 @@
#define RDMA_REG_BAR_IDX 1
#define RDMA_UAR_BAR_IDX 2
#define RDMA_BAR0_MSIX_SIZE (16 * 1024)
-#define RDMA_BAR1_REGS_SIZE 256
+#define RDMA_BAR1_REGS_SIZE 64
#define RDMA_BAR2_UAR_SIZE (0x1000 * MAX_UCS) /* each uc gets page */
/* MSIX */
@@ -86,7 +86,7 @@ static inline int get_reg_val(PVRDMADev *dev, hwaddr addr,
uint32_t *val)
{
int idx = addr >> 2;
- if (idx > RDMA_BAR1_REGS_SIZE) {
+ if (idx >= RDMA_BAR1_REGS_SIZE) {
return -EINVAL;
}
@@ -99,7 +99,7 @@ static inline int set_reg_val(PVRDMADev *dev, hwaddr addr,
uint32_t val)
{
int idx = addr >> 2;
- if (idx > RDMA_BAR1_REGS_SIZE) {
+ if (idx >= RDMA_BAR1_REGS_SIZE) {
return -EINVAL;
}
diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
index 994220b58e..3ed7409763 100644
--- a/hw/rdma/vmw/pvrdma_main.c
+++ b/hw/rdma/vmw/pvrdma_main.c
@@ -449,14 +449,14 @@ static void init_bars(PCIDevice *pdev)
/* BAR 1 - Registers */
memset(&dev->regs_data, 0, sizeof(dev->regs_data));
memory_region_init_io(&dev->regs, OBJECT(dev), ®s_ops, dev,
- "pvrdma-regs", RDMA_BAR1_REGS_SIZE);
+ "pvrdma-regs", sizeof(dev->regs_data));
pci_register_bar(pdev, RDMA_REG_BAR_IDX, PCI_BASE_ADDRESS_SPACE_MEMORY,
&dev->regs);
/* BAR 2 - UAR */
memset(&dev->uar_data, 0, sizeof(dev->uar_data));
memory_region_init_io(&dev->uar, OBJECT(dev), &uar_ops, dev, "rdma-uar",
- RDMA_BAR2_UAR_SIZE);
+ sizeof(dev->uar_data));
pci_register_bar(pdev, RDMA_UAR_BAR_IDX, PCI_BASE_ADDRESS_SPACE_MEMORY,
&dev->uar);
}
--
2.14.3
- [Qemu-devel] [PATCH 0/7] hw/rdma: coverity fixes, Marcel Apfelbaum, 2018/04/30
- [Qemu-devel] [PATCH 1/7] hw/rdma: Fix possible munmap call on a NULL pointer, Marcel Apfelbaum, 2018/04/30
- [Qemu-devel] [PATCH 3/7] hw/rdma: Delete port's pkey table, Marcel Apfelbaum, 2018/04/30
- [Qemu-devel] [PATCH 4/7] hw/rdma: Fix possible out of bounds access to GID table, Marcel Apfelbaum, 2018/04/30
- [Qemu-devel] [PATCH 2/7] hw/rdma: Fix possible usage of a NULL pointer, Marcel Apfelbaum, 2018/04/30
- [Qemu-devel] [PATCH 5/7] hw/rdma: Fix possible out of bounds access to regs array,
Marcel Apfelbaum <=
- [Qemu-devel] [PATCH 6/7] hw/rdma: Delete duplicate definition of MAX_RM_TBL_NAME, Marcel Apfelbaum, 2018/04/30
- [Qemu-devel] [PATCH 7/7] hw/rdma: Fix possible out of bounds access to port GID index, Marcel Apfelbaum, 2018/04/30