Re: [Qemu-devel] [PATCH v3 15/16] hw/i2c/smbus

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v3 15/16] hw/i2c/smbus_eeprom: Create at most SM

From:	Peter Maydell
Subject:	Re: [Qemu-devel] [PATCH v3 15/16] hw/i2c/smbus_eeprom: Create at most SMBUS_EEPROM_MAX EEPROMs on a SMBus
Date:	Fri, 30 Nov 2018 17:39:57 +0000

On Mon, 26 Nov 2018 at 20:04, <address@hidden> wrote:
>
> From: Philippe Mathieu-Daudé <address@hidden>
>
> Calling smbus_eeprom_init() with more than 8 EEPROMs would lead to a
> heap overflow.
> Replace the '8' magic number by a definition, and check no more than
> this number are created.
>
> Signed-off-by: Philippe Mathieu-Daudé <address@hidden>
> Signed-off-by: Corey Minyard <address@hidden>
> ---
>  hw/i2c/smbus_eeprom.c         | 13 +++++++++++--
>  include/hw/i2c/smbus_eeprom.h |  4 +++-
>  2 files changed, 14 insertions(+), 3 deletions(-)
>
> diff --git a/hw/i2c/smbus_eeprom.c b/hw/i2c/smbus_eeprom.c
> index 942057dc10..a0dcadbd60 100644
> --- a/hw/i2c/smbus_eeprom.c
> +++ b/hw/i2c/smbus_eeprom.c
> @@ -23,6 +23,7 @@
>   */
>
>  #include "qemu/osdep.h"
> +#include "qemu/error-report.h"
>  #include "hw/hw.h"
>  #include "hw/boards.h"
>  #include "hw/i2c/i2c.h"
> @@ -157,12 +158,20 @@ void smbus_eeprom_init_one(I2CBus *smbus, uint8_t 
> address, uint8_t *eeprom_buf)
>      qdev_init_nofail(dev);
>  }
>
> -void smbus_eeprom_init(I2CBus *smbus, int nb_eeprom,
> +void smbus_eeprom_init(I2CBus *smbus, unsigned int nb_eeprom,
>                         const uint8_t *eeprom_spd, int eeprom_spd_size)
>  {
>      int i;
> +    uint8_t *eeprom_buf;
> +
> +    if (nb_eeprom > SMBUS_EEPROM_MAX) {
> +        error_report("At most %u EEPROM are supported on a SMBus.",
> +                     SMBUS_EEPROM_MAX);
> +        exit(1);

You could also just assert(), since this would be a
QEMU bug (all callers use fixed values for this argument).

> +    }
> +
>       /* XXX: make this persistent */
> -    uint8_t *eeprom_buf = g_malloc0(8 * SMBUS_EEPROM_SIZE);
> +    eeprom_buf = g_malloc0(nb_eeprom * SMBUS_EEPROM_SIZE);

So if we allocate N buffers as the caller requests, what
is the thing that means that more than 8 won't work ?

We've now changed from allocating always 8 lots of
the EEPROM size to possibly allocating fewer than that.
How does the code in the device know what the size
of the buffer we're passing as the "data" property is
now? We don't pass it the number of EEPROMs as a property.

>      if (eeprom_spd_size > 0) {
>          memcpy(eeprom_buf, eeprom_spd, eeprom_spd_size);
>      }
> diff --git a/include/hw/i2c/smbus_eeprom.h b/include/hw/i2c/smbus_eeprom.h
> index 46fb1a37d6..8436200599 100644
> --- a/include/hw/i2c/smbus_eeprom.h
> +++ b/include/hw/i2c/smbus_eeprom.h
> @@ -25,8 +25,10 @@
>
>  #include "hw/i2c/i2c.h"
>
> +#define SMBUS_EEPROM_MAX 8
> +
>  void smbus_eeprom_init_one(I2CBus *bus, uint8_t address, uint8_t 
> *eeprom_buf);
> -void smbus_eeprom_init(I2CBus *bus, int nb_eeprom,
> +void smbus_eeprom_init(I2CBus *bus, unsigned int nb_eeprom,
>                         const uint8_t *eeprom_spd, int size);

thanks
-- PMM

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Qemu-devel] [PATCH v3 02/16] i2c: have I2C receive operation return uint8_t, (continued)
- [Qemu-devel] [PATCH v3 11/16] i2c:smbus_slave: Add an SMBus vmstate structure, minyard, 2018/11/26
  - Re: [Qemu-devel] [PATCH v3 11/16] i2c:smbus_slave: Add an SMBus vmstate structure, Dr. David Alan Gilbert, 2018/11/29
- [Qemu-devel] [PATCH v3 08/16] boards.h: Ignore migration for SMBus devices on older machines, minyard, 2018/11/26
  - Re: [Qemu-devel] [PATCH v3 08/16] boards.h: Ignore migration for SMBus devices on older machines, Dr. David Alan Gilbert, 2018/11/29
- [Qemu-devel] [PATCH v3 07/16] i2c:pm_smbus: Fix pm_smbus handling of I2C block read, minyard, 2018/11/26
- [Qemu-devel] [PATCH v3 06/16] i2c: Add a length check to the SMBus write handling, minyard, 2018/11/26
  - Re: [Qemu-devel] [PATCH v3 06/16] i2c: Add a length check to the SMBus write handling, Philippe Mathieu-Daudé, 2018/11/26
- [Qemu-devel] [PATCH v3 15/16] hw/i2c/smbus_eeprom: Create at most SMBUS_EEPROM_MAX EEPROMs on a SMBus, minyard, 2018/11/26
  - Re: [Qemu-devel] [PATCH v3 15/16] hw/i2c/smbus_eeprom: Create at most SMBUS_EEPROM_MAX EEPROMs on a SMBus, Peter Maydell <=
    - Re: [Qemu-devel] [PATCH v3 15/16] hw/i2c/smbus_eeprom: Create at most SMBUS_EEPROM_MAX EEPROMs on a SMBus, Corey Minyard, 2018/11/30
- [Qemu-devel] [PATCH v3 16/16] i2c:smbus_eeprom: Add a reset function to smbus_eeprom, minyard, 2018/11/26
  - Re: [Qemu-devel] [PATCH v3 16/16] i2c:smbus_eeprom: Add a reset function to smbus_eeprom, Philippe Mathieu-Daudé, 2018/11/26
    - Re: [Qemu-devel] [PATCH v3 16/16] i2c:smbus_eeprom: Add a reset function to smbus_eeprom, Corey Minyard, 2018/11/26
    - Re: [Qemu-devel] [PATCH v3 16/16] i2c:smbus_eeprom: Add a reset function to smbus_eeprom, Philippe Mathieu-Daudé, 2018/11/26
    - Re: [Qemu-devel] [PATCH v3 16/16] i2c:smbus_eeprom: Add a reset function to smbus_eeprom, Corey Minyard, 2018/11/26
    - Re: [Qemu-devel] [PATCH v3 16/16] i2c:smbus_eeprom: Add a reset function to smbus_eeprom, Philippe Mathieu-Daudé, 2018/11/27
    - Re: [Qemu-devel] [PATCH v3 16/16] i2c:smbus_eeprom: Add a reset function to smbus_eeprom, Corey Minyard, 2018/11/27
    - Re: [Qemu-devel] [PATCH v3 16/16] i2c:smbus_eeprom: Add a reset function to smbus_eeprom, Philippe Mathieu-Daudé, 2018/11/27
- [Qemu-devel] [PATCH v3 14/16] i2c:smbus_eeprom: Add vmstate handling to the smbus eeprom, minyard, 2018/11/26

Prev by Date: Re: [Qemu-devel] [PATCH v1 3/4] hw/arm: versal: Use IRQs 111 - 118 for virtio-mmio
Next by Date: Re: [Qemu-devel] [PATCH for-4.0 v2 11/37] tcg/aarch64: Parameterize the temps for tcg_out_tlb_read
Previous by thread: [Qemu-devel] [PATCH v3 15/16] hw/i2c/smbus_eeprom: Create at most SMBUS_EEPROM_MAX EEPROMs on a SMBus
Next by thread: Re: [Qemu-devel] [PATCH v3 15/16] hw/i2c/smbus_eeprom: Create at most SMBUS_EEPROM_MAX EEPROMs on a SMBus
Index(es):
- Date
- Thread