[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 07/19] hw: misc: edu: fix 2 off-by-one errors
|
From: |
Thomas Huth |
|
Subject: |
[PULL 07/19] hw: misc: edu: fix 2 off-by-one errors |
|
Date: |
Tue, 30 Apr 2024 09:13:28 +0200 |
From: Chris Friedt <chrisfriedt@gmail.com>
In the case that size1 was zero, because of the explicit
'end1 > addr' check, the range check would fail and the error
message would read as shown below. The correct comparison
is 'end1 >= addr'.
EDU: DMA range 0x40000-0x3ffff out of bounds (0x40000-0x40fff)!
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1254
Signed-off-by: Chris Friedt <cfriedt@meta.com>
[thuth: Adjust patch with regards to the "end1 <= end2" check]
Message-ID: <20221018122551.94567-1-cfriedt@meta.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
hw/misc/edu.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/hw/misc/edu.c b/hw/misc/edu.c
index 2a976ca2b1..14250e0ac3 100644
--- a/hw/misc/edu.c
+++ b/hw/misc/edu.c
@@ -103,19 +103,18 @@ static void edu_lower_irq(EduState *edu, uint32_t val)
}
}
-static bool within(uint64_t addr, uint64_t start, uint64_t end)
-{
- return start <= addr && addr < end;
-}
-
-static void edu_check_range(uint64_t addr, uint64_t size1, uint64_t start,
- uint64_t size2)
+static void edu_check_range(uint64_t addr, uint64_t size1,
+ uint64_t start, uint64_t size2)
{
uint64_t end1 = addr + size1;
uint64_t end2 = start + size2;
- if (within(addr, start, end2) &&
- end1 > addr && end1 <= end2) {
+ /*
+ * 1. ensure we aren't overflowing
+ * 2. ensure that [addr, end1) is within [start, size2)
+ */
+ if (end2 >= start && end1 >= addr &&
+ addr >= start && end1 <= end2) {
return;
}
--
2.44.0
- [PULL 00/19] Misc patches (s390x clean-ups, fixes for crashes, ...), Thomas Huth, 2024/04/30
- [PULL 01/19] target/s390x/cpu_model: Make check_compatibility() return boolean, Thomas Huth, 2024/04/30
- [PULL 04/19] target/s390x/cpu_models: Drop local @err in get_max_cpu_model(), Thomas Huth, 2024/04/30
- [PULL 05/19] target/s390x/cpu_models: Make kvm_s390_apply_cpu_model() return boolean, Thomas Huth, 2024/04/30
- [PULL 06/19] target/s390x/cpu_models_sysemu: Drop local @err in apply_cpu_model(), Thomas Huth, 2024/04/30
- [PULL 07/19] hw: misc: edu: fix 2 off-by-one errors,
Thomas Huth <=
- [PULL 02/19] target/s390x/cpu_model: Drop local @err in s390_realize_cpu_model(), Thomas Huth, 2024/04/30
- [PULL 03/19] target/s390x/cpu_models: Make kvm_s390_get_host_cpu_model() return boolean, Thomas Huth, 2024/04/30
- [PULL 09/19] hw: misc: edu: use qemu_log_mask instead of hw_error, Thomas Huth, 2024/04/30
- [PULL 08/19] hw: misc: edu: rename local vars in edu_check_range, Thomas Huth, 2024/04/30
- [PULL 13/19] build-environment: make some packages optional, Thomas Huth, 2024/04/30
- [PULL 14/19] gitlab: migrate the s390x custom machine to 22.04, Thomas Huth, 2024/04/30
- [PULL 12/19] hw/char/stm32l4x5_usart: Fix memory corruption by adding correct class_size, Thomas Huth, 2024/04/30
- [PULL 11/19] qga: Re-enable the qga-ssh-test when running without fuzzing, Thomas Huth, 2024/04/30
- [PULL 15/19] gitlab: remove stale s390x-all-linux-static conf hacks, Thomas Huth, 2024/04/30
- [PULL 16/19] hw/ide/core.c (cmd_read_native_max): Avoid limited device parameters, Thomas Huth, 2024/04/30