[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-trivial] [PATCH 2/2] xen-pt: fix Out-of-bounds read
From: |
Gonglei |
Subject: |
Re: [Qemu-trivial] [PATCH 2/2] xen-pt: fix Out-of-bounds read |
Date: |
Tue, 10 Feb 2015 15:19:35 +0800 |
User-agent: |
Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 |
On 2015/2/10 15:00, Stefano Stabellini wrote:
> On Tue, 10 Feb 2015, Gonglei wrote:
>> On 2015/2/10 14:39, Stefano Stabellini wrote:
>>> On Sat, 31 Jan 2015, address@hidden wrote:
>>>> From: Gonglei <address@hidden>
>>>>
>>>> The array length of s->real_device.io_regions[] is
>>>> "PCI_NUM_REGIONS - 1". Add a check, just make Coverity happy.
>>>>
>>>> Signed-off-by: Gonglei <address@hidden>
>>>> ---
>>>> hw/xen/xen_pt_config_init.c | 5 +++++
>>>> 1 file changed, 5 insertions(+)
>>>>
>>>> diff --git a/hw/xen/xen_pt_config_init.c b/hw/xen/xen_pt_config_init.c
>>>> index 710fe50..3c8b0f1 100644
>>>> --- a/hw/xen/xen_pt_config_init.c
>>>> +++ b/hw/xen/xen_pt_config_init.c
>>>> @@ -443,6 +443,11 @@ static int xen_pt_bar_reg_read(XenPCIPassthroughState
>>>> *s, XenPTReg *cfg_entry,
>>>> return -1;
>>>> }
>>>>
>>>> + if (index == PCI_ROM_SLOT) {
>>>> + XEN_PT_ERR(&s->dev, "Internal error: Access violation at ROM
>>>> BAR.\n");
>>>> + return -1;
>>>> + }
>>>
>>> Could you please fix the boundaries of the check just above?
>>> Also please avoid using PCI_ROM_SLOT for the array index check, simply
>>> use PCI_NUM_REGIONS.
>>>
>> You meaning is changing the below check:
>>
>> if (index < 0 || index >= PCI_NUM_REGIONS - 1) {
>> XEN_PT_ERR(&s->dev, "Internal error: Invalid BAR index [%d].\n",
>> index);
>> return -1;
>> }
>>
>> Isn't it?
>
> that's right
>
OK, will do, thanks.
Regards,
-Gonglei