[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 2/2] xen-pt: fix Out-of-bounds read
From: |
Stefano Stabellini |
Subject: |
Re: [Qemu-devel] [PATCH 2/2] xen-pt: fix Out-of-bounds read |
Date: |
Tue, 10 Feb 2015 06:39:40 +0000 |
User-agent: |
Alpine 2.02 (DEB 1266 2009-07-14) |
On Sat, 31 Jan 2015, address@hidden wrote:
> From: Gonglei <address@hidden>
>
> The array length of s->real_device.io_regions[] is
> "PCI_NUM_REGIONS - 1". Add a check, just make Coverity happy.
>
> Signed-off-by: Gonglei <address@hidden>
> ---
> hw/xen/xen_pt_config_init.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/hw/xen/xen_pt_config_init.c b/hw/xen/xen_pt_config_init.c
> index 710fe50..3c8b0f1 100644
> --- a/hw/xen/xen_pt_config_init.c
> +++ b/hw/xen/xen_pt_config_init.c
> @@ -443,6 +443,11 @@ static int xen_pt_bar_reg_read(XenPCIPassthroughState
> *s, XenPTReg *cfg_entry,
> return -1;
> }
>
> + if (index == PCI_ROM_SLOT) {
> + XEN_PT_ERR(&s->dev, "Internal error: Access violation at ROM
> BAR.\n");
> + return -1;
> + }
Could you please fix the boundaries of the check just above?
Also please avoid using PCI_ROM_SLOT for the array index check, simply
use PCI_NUM_REGIONS.
> /* use fixed-up value from kernel sysfs */
> *value = base_address_with_flags(&s->real_device.io_regions[index]);
>
> --
> 1.7.12.4
>
>
- Re: [Qemu-devel] [PATCH 2/2] xen-pt: fix Out-of-bounds read,
Stefano Stabellini <=