From nobody Thu May 2 19:06:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 15228848884191013.3794770889713; Wed, 4 Apr 2018 16:34:48 -0700 (PDT) Received: from localhost ([::1]:39060 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1f3rvT-0005W0-N9 for importer@patchew.org; Wed, 04 Apr 2018 19:34:47 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:60890) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1f3rtm-0004ay-5s for qemu-devel@nongnu.org; Wed, 04 Apr 2018 19:33:03 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1f3rth-0000gT-8l for qemu-devel@nongnu.org; Wed, 04 Apr 2018 19:33:02 -0400 Received: from mail-qk0-x244.google.com ([2607:f8b0:400d:c09::244]:37923) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1f3rth-0000gJ-3w; Wed, 04 Apr 2018 19:32:57 -0400 Received: by mail-qk0-x244.google.com with SMTP id 132so24470249qkd.5; Wed, 04 Apr 2018 16:32:57 -0700 (PDT) Received: from x1.lan ([138.117.48.212]) by smtp.gmail.com with ESMTPSA id c4sm5484757qtd.39.2018.04.04.16.32.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 04 Apr 2018 16:32:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=nd3xlFuG9dW6e37ButJMsficF0VuwcF1odZqI7wThUg=; b=WZZ0ER7CBBlMw+I2F3mZN8Pr2lYSc9ptu+5Tbjco2POudedY7zU0ngziNdadap1E5A 0NaxO/nRG7LG2KQID6MR84LW1f+XumXYrX3FR5CxFf4W29NY+KS2NXNwl/wJ2Kf88rzP K9mGdQMi2TUu+hLKEbSbQKr8lsbAkO5xqlfwi+kg8kdCte+W3EIDjPnVlqdX48qNXtJO cSO9hQaflKePCzH3HTKw33z4BR9HhlaidZdTy7vV+POeIvIbZBkIP1KSxBiCgMz82FMx E+rt6Fst/r1fBWOQ6JqjFtzYNlEyopGPWZDEPOy5qSQZ3kJAwEjzlkNsVqkFV1GTxppw pfaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :mime-version:content-transfer-encoding; bh=nd3xlFuG9dW6e37ButJMsficF0VuwcF1odZqI7wThUg=; b=aLgFQtEIfW83rdrPrRYGlgJ0JZf2ygJyHjUv/nm5gFcn5PMHXIbqM90xBD/R6VfoDf ahtAGcwzqH0s8VKhcCn4lHC2TtiGKV+9pHPcfZIac2Jcvd/7+KfukBveR6G84cHAGZHs fVZW8k8NQaMC4sOOTUmnPzDI3ZdEYzaEKk/ksyRyJIIV/7LQ7XPgR1M+qNaalIXbWAS7 9FsFlOTS6FpcAfSvIUSPADMhFXRc5CF33Ijeh6LcOi4rn2zRKt+XQ0mHd99FyLYuSyb6 I+WG2bkZg6S1lfwWhtMIx7gL+qqQhHTt1AkVAkKx6oFZzwKC3RvSdk58Slh5VE0+slj0 qZUg== X-Gm-Message-State: ALQs6tB+HNGOkUUia/IJJPiOnF0bFJKeQutldu3VHn6MZssSbpnFxpgR yFE33SoTylHmPOHhHZqqLVw= X-Google-Smtp-Source: AIpwx4/grkePsOv5sTP32oMhQFstPxYgAwVFR/rCfHHHyCCa8tMXxyv/vpnJ9AlHbLOAqeRURYSdbw== X-Received: by 10.55.24.169 with SMTP id 41mr27368024qky.176.1522884776567; Wed, 04 Apr 2018 16:32:56 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , "Daniel P . Berrange" , Kevin Wolf , Max Reitz Date: Wed, 4 Apr 2018 20:32:38 -0300 Message-Id: <20180404233238.8068-1-f4bug@amsat.org> X-Mailer: git-send-email 2.16.3 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:400d:c09::244 Subject: [Qemu-devel] [PATCH for-2.12] hw/block/pflash_cfi: fix off-by-one error X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: David Engraf , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-block@nongnu.org, qemu-devel@nongnu.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZohoMail: RDKM_2 RSF_0 Z_629925259 SPT_0 ASAN reported: hw/block/pflash_cfi02.c:245:33: runtime error: index 82 out of bounds f= or type 'uint8_t [82]' Since the 'cfi_len' member is not used, remove it to keep the code safer. Reported-by: AddressSanitizer Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- hw/block/pflash_cfi01.c | 10 ++++------ hw/block/pflash_cfi02.c | 9 ++++----- 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/hw/block/pflash_cfi01.c b/hw/block/pflash_cfi01.c index 1113ab1ccf..2e8284001d 100644 --- a/hw/block/pflash_cfi01.c +++ b/hw/block/pflash_cfi01.c @@ -90,7 +90,6 @@ struct pflash_t { uint16_t ident1; uint16_t ident2; uint16_t ident3; - uint8_t cfi_len; uint8_t cfi_table[0x52]; uint64_t counter; unsigned int writeblock_size; @@ -153,7 +152,7 @@ static uint32_t pflash_cfi_query(pflash_t *pfl, hwaddr = offset) boff =3D offset >> (ctz32(pfl->bank_width) + ctz32(pfl->max_device_width) - ctz32(pfl->device_wid= th)); =20 - if (boff > pfl->cfi_len) { + if (boff >=3D sizeof(pfl->cfi_table)) { return 0; } /* Now we will construct the CFI response generated by a single @@ -385,10 +384,10 @@ static uint32_t pflash_read (pflash_t *pfl, hwaddr of= fset, boff =3D boff >> 2; } =20 - if (boff > pfl->cfi_len) { - ret =3D 0; - } else { + if (boff < sizeof(pfl->cfi_table)) { ret =3D pfl->cfi_table[boff]; + } else { + ret =3D 0; } } else { /* If we have a read larger than the bank_width, combine multi= ple @@ -791,7 +790,6 @@ static void pflash_cfi01_realize(DeviceState *dev, Erro= r **errp) pfl->cmd =3D 0; pfl->status =3D 0; /* Hardcoded CFI table */ - pfl->cfi_len =3D 0x52; /* Standard "QRY" string */ pfl->cfi_table[0x10] =3D 'Q'; pfl->cfi_table[0x11] =3D 'R'; diff --git a/hw/block/pflash_cfi02.c b/hw/block/pflash_cfi02.c index c81ddd3a99..75d1ae1026 100644 --- a/hw/block/pflash_cfi02.c +++ b/hw/block/pflash_cfi02.c @@ -83,7 +83,6 @@ struct pflash_t { uint16_t ident3; uint16_t unlock_addr0; uint16_t unlock_addr1; - uint8_t cfi_len; uint8_t cfi_table[0x52]; QEMUTimer *timer; /* The device replicates the flash memory across its memory space. Em= ulate @@ -235,10 +234,11 @@ static uint32_t pflash_read (pflash_t *pfl, hwaddr of= fset, break; case 0x98: /* CFI query mode */ - if (boff > pfl->cfi_len) - ret =3D 0; - else + if (boff < sizeof(pfl->cfi_table)) { ret =3D pfl->cfi_table[boff]; + } else { + ret =3D 0; + } break; } =20 @@ -663,7 +663,6 @@ static void pflash_cfi02_realize(DeviceState *dev, Erro= r **errp) pfl->cmd =3D 0; pfl->status =3D 0; /* Hardcoded CFI table (mostly from SG29 Spansion flash) */ - pfl->cfi_len =3D 0x52; /* Standard "QRY" string */ pfl->cfi_table[0x10] =3D 'Q'; pfl->cfi_table[0x11] =3D 'R'; --=20 2.16.3