[Qemu-devel] [PATCH] vfio/common: Check iova with limit not with size

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PATCH] vfio/common: Check iova with limit not with size

From:	Pierre Morel
Subject:	[Qemu-devel] [PATCH] vfio/common: Check iova with limit not with size
Date:	Thu, 10 Dec 2015 10:58:25 +0100

In vfio_listener_region_add(), the code makes sure
that the offset in the section is lower than the size
of the section.
To do this the calculation uses size of the region
instead of the region limit (size - 1).

This leads to Int128 overflow when the region has
been initialized with UINT64_MAX.

Let's use the address limit of the region instead of the size.

Signed-off-by: Pierre Morel <address@hidden>
---
 hw/vfio/common.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/hw/vfio/common.c b/hw/vfio/common.c
index 85ee9b0..0da10d6 100644
--- a/hw/vfio/common.c
+++ b/hw/vfio/common.c
@@ -338,7 +338,7 @@ static void vfio_listener_region_add(MemoryListener 
*listener,
 
     iova = TARGET_PAGE_ALIGN(section->offset_within_address_space);
     llend = int128_make64(section->offset_within_address_space);
-    llend = int128_add(llend, section->size);
+    llend = int128_add(llend, int128_sub(section->size, int128_one()));
     llend = int128_and(llend, int128_exts64(TARGET_PAGE_MASK));
 
     if (int128_ge(int128_make64(iova), llend)) {
-- 
1.7.1

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH] vfio/common: Check iova with limit not with size, Pierre Morel <=

Prev by Date: [Qemu-devel] [PATCH 1/1] qcow2: insert assert into qcow2_get_specific_info()
Next by Date: Re: [Qemu-devel] live migration vs device assignment (motivation)
Previous by thread: [Qemu-devel] [PATCH 1/1] qcow2: insert assert into qcow2_get_specific_info()
Next by thread: [Qemu-devel] [PATCH] Use error_fatal to simplify obvious fatal errors
Index(es):
- Date
- Thread