[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 26/50] xilinx: fix buffer overflow on realize
|
From: |
Paolo Bonzini |
|
Subject: |
[Qemu-devel] [PULL 26/50] xilinx: fix buffer overflow on realize |
|
Date: |
Mon, 24 Oct 2016 15:47:11 +0200 |
ASAN complains about buffer overflow when running:
aarch64-softmmu/qemu-system-aarch64 -machine xilinx-zynq-a9
==476==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000035e38
at pc 0x000000f75253 bp 0x7ffc597e0ec0 sp 0x7ffc597e0eb0
READ of size 8 at 0x602000035e38 thread T0
#0 0xf75252 in xilinx_spips_realize hw/ssi/xilinx_spips.c:623
#1 0xb9ef6c in device_set_realized hw/core/qdev.c:918
#2 0x129ae01 in property_set_bool qom/object.c:1854
#3 0x1296e70 in object_property_set qom/object.c:1088
#4 0x129dd1b in object_property_set_qobject qom/qom-qobject.c:27
#5 0x1297168 in object_property_set_bool qom/object.c:1157
#6 0xb9aeac in qdev_init_nofail hw/core/qdev.c:358
#7 0x78a5bf in zynq_init_spi_flashes
/home/elmarco/src/qemu/hw/arm/xilinx_zynq.c:125
#8 0x78af60 in zynq_init /home/elmarco/src/qemu/hw/arm/xilinx_zynq.c:238
#9 0x998eac in main /home/elmarco/src/qemu/vl.c:4534
#10 0x7f96ed692730 in __libc_start_main (/lib64/libc.so.6+0x20730)
#11 0x41d0a8 in _start
(/home/elmarco/src/qemu/aarch64-softmmu/qemu-system-aarch64+0x41d0a8)
0x602000035e38 is located 0 bytes to the right of 8-byte region
[0x602000035e30,0x602000035e38)
allocated by thread T0 here:
#0 0x7f970b014e60 in malloc (/lib64/libasan.so.3+0xc6e60)
#1 0x7f96f15b0e18 in g_malloc (/lib64/libglib-2.0.so.0+0x4ee18)
#2 0xb9ef6c in device_set_realized hw/core/qdev.c:918
#3 0x129ae01 in property_set_bool qom/object.c:1854
#4 0x1296e70 in object_property_set qom/object.c:1088
#5 0x129dd1b in object_property_set_qobject qom/qom-qobject.c:27
#6 0x1297168 in object_property_set_bool qom/object.c:1157
#7 0xb9aeac in qdev_init_nofail hw/core/qdev.c:358
#8 0x78a5bf in zynq_init_spi_flashes
/home/elmarco/src/qemu/hw/arm/xilinx_zynq.c:125
#9 0x78af60 in zynq_init /home/elmarco/src/qemu/hw/arm/xilinx_zynq.c:238
#10 0x998eac in main /home/elmarco/src/qemu/vl.c:4534
#11 0x7f96ed692730 in __libc_start_main (/lib64/libc.so.6+0x20730)
s->spi is allocated with the size of num_busses which may be 1 (by
default). Change to use a loop up to s->num_busses also for the
call to ssi_auto_connect_slaves().
Reported-by: Marc-André Lureau <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
---
hw/ssi/xilinx_spips.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index e2b77dc..da8adfa 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -607,6 +607,7 @@ static void xilinx_spips_realize(DeviceState *dev, Error
**errp)
XilinxSPIPS *s = XILINX_SPIPS(dev);
SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
XilinxSPIPSClass *xsc = XILINX_SPIPS_GET_CLASS(s);
+ qemu_irq *cs;
int i;
DB_PRINT_L(0, "realized spips\n");
@@ -619,8 +620,10 @@ static void xilinx_spips_realize(DeviceState *dev, Error
**errp)
}
s->cs_lines = g_new0(qemu_irq, s->num_cs * s->num_busses);
- ssi_auto_connect_slaves(DEVICE(s), s->cs_lines, s->spi[0]);
- ssi_auto_connect_slaves(DEVICE(s), s->cs_lines, s->spi[1]);
+ for (i = 0, cs = s->cs_lines; i < s->num_busses; ++i, cs += s->num_cs) {
+ ssi_auto_connect_slaves(DEVICE(s), cs, s->spi[i]);
+ }
+
sysbus_init_irq(sbd, &s->irq);
for (i = 0; i < s->num_cs * s->num_busses; ++i) {
sysbus_init_irq(sbd, &s->cs_lines[i]);
--
1.8.3.1
- [Qemu-devel] [PULL 20/50] rng: remove unused included header, (continued)
- [Qemu-devel] [PULL 20/50] rng: remove unused included header, Paolo Bonzini, 2016/10/24
- [Qemu-devel] [PULL 16/50] memory: optimize memory_global_dirty_log_sync, Paolo Bonzini, 2016/10/24
- [Qemu-devel] [PULL 19/50] char.h: misc doc fix, Paolo Bonzini, 2016/10/24
- [Qemu-devel] [PULL 21/50] char: remove use-after-free on win-stdio, Paolo Bonzini, 2016/10/24
- [Qemu-devel] [PULL 18/50] char: serial: check divider value against baud base, Paolo Bonzini, 2016/10/24
- [Qemu-devel] [PULL 22/50] ringbuf: fix chr_write return value, Paolo Bonzini, 2016/10/24
- [Qemu-devel] [PULL 23/50] sun4uv: fix serial initialization regression, Paolo Bonzini, 2016/10/24
- [Qemu-devel] [PULL 28/50] char: introduce CharBackend, Paolo Bonzini, 2016/10/24
- [Qemu-devel] [PULL 24/50] malta: replace chr init by CHR_EVENT_OPENED handler, Paolo Bonzini, 2016/10/24
- [Qemu-devel] [PULL 25/50] char: remove init callback, Paolo Bonzini, 2016/10/24
- [Qemu-devel] [PULL 26/50] xilinx: fix buffer overflow on realize,
Paolo Bonzini <=
- [Qemu-devel] [PULL 27/50] mux: split mux_chr_update_read_handler(), Paolo Bonzini, 2016/10/24
- [Qemu-devel] [PULL 29/50] char: start converting mux driver to use CharBackend, Paolo Bonzini, 2016/10/24
- [Qemu-devel] [PULL 33/50] colo: claim in find_and_check_chardev, Paolo Bonzini, 2016/10/24
- [Qemu-devel] [PULL 32/50] char: rename some frontend functions, Paolo Bonzini, 2016/10/24
- [Qemu-devel] [PULL 35/50] char: fold qemu_chr_set_handlers in qemu_chr_fe_set_handlers, Paolo Bonzini, 2016/10/24
- [Qemu-devel] [PULL 36/50] vhost-user: only initialize queue 0 CharBackend, Paolo Bonzini, 2016/10/24
- [Qemu-devel] [PULL 30/50] char: replace PROP_CHR with CharBackend, Paolo Bonzini, 2016/10/24
- [Qemu-devel] [PULL 31/50] char: remaining switch to CharBackend in frontend, Paolo Bonzini, 2016/10/24
- [Qemu-devel] [PULL 37/50] char: replace qemu_chr_claim/release with qemu_chr_fe_init/deinit, Paolo Bonzini, 2016/10/24
- [Qemu-devel] [PULL 41/50] char: rename chr_close/chr_free, Paolo Bonzini, 2016/10/24