In commit 802cbcb7300, most issues have been fixed when qemu guest
migration. But the queue size still need to check whether is equal to
PS2_QUEUE_SIZE. If yes, the wptr should set as 0. Or, wptr would larger
than PS2_QUEUE_SIZE and never come back when ps2_queue_noirq is called.
This could lead to OOB access, add check to avoid it.
Signed-off-by: liujunjie <liujunjie23@huawei.com>
---
hw/input/ps2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/input/ps2.c b/hw/input/ps2.c
index eeec618..fdfcadf 100644
--- a/hw/input/ps2.c
+++ b/hw/input/ps2.c
@@ -927,7 +927,7 @@ static void ps2_common_post_load(PS2State *s)
/* reset rptr/wptr/count */
q->rptr = 0;
- q->wptr = size;
+ q->wptr = (size == PS2_QUEUE_SIZE) ? 0 : size;
q->count = size;
s->update_irq(s->update_arg, q->count != 0);
}
--
1.8.3.1
> -----Original Message----- > From: liujunjie (A) > Sent: Thursday, June 07, 2018 4:03 PM > To: kraxel@redhat.com; berrange@redhat.com > Cc: Gonglei (Arei) <arei.gonglei@huawei.com>; wangxin (U) > <wangxinxin.wang@huawei.com>; Huangweidong (C) > <weidong.huang@huawei.com>; fangying <fangying1@huawei.com>; > qemu-devel@nongnu.org; liujunjie (A) <liujunjie23@huawei.com> > Subject: [PATCH] ps2: check PS2Queue wptr pointer in post_load routine > > In commit 802cbcb7300, most issues have been fixed when qemu guest > migration. But the queue size still need to check whether is equal to > PS2_QUEUE_SIZE. If yes, the wptr should set as 0. Or, wptr would larger > than PS2_QUEUE_SIZE and never come back when ps2_queue_noirq is called. > This could lead to OOB access, add check to avoid it. > > Signed-off-by: liujunjie <liujunjie23@huawei.com> > --- > hw/input/ps2.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/hw/input/ps2.c b/hw/input/ps2.c > index eeec618..fdfcadf 100644 > --- a/hw/input/ps2.c > +++ b/hw/input/ps2.c > @@ -927,7 +927,7 @@ static void ps2_common_post_load(PS2State *s) > > /* reset rptr/wptr/count */ > q->rptr = 0; > - q->wptr = size; > + q->wptr = (size == PS2_QUEUE_SIZE) ? 0 : size; > q->count = size; > s->update_irq(s->update_arg, q->count != 0); > } > -- Reviewed-by: Gonglei <arei.gonglei@huawei.com>
ping > -----Original Message----- > From: liujunjie (A) > Sent: Thursday, June 07, 2018 4:03 PM > To: kraxel@redhat.com; berrange@redhat.com > Cc: Gonglei (Arei) <arei.gonglei@huawei.com>; wangxin (U) > <wangxinxin.wang@huawei.com>; Huangweidong (C) > <weidong.huang@huawei.com>; fangying <fangying1@huawei.com>; > qemu-devel@nongnu.org; liujunjie (A) <liujunjie23@huawei.com> > Subject: [PATCH] ps2: check PS2Queue wptr pointer in post_load routine > > In commit 802cbcb7300, most issues have been fixed when qemu guest > migration. But the queue size still need to check whether is equal to > PS2_QUEUE_SIZE. If yes, the wptr should set as 0. Or, wptr would larger than > PS2_QUEUE_SIZE and never come back when ps2_queue_noirq is called. > This could lead to OOB access, add check to avoid it. > > Signed-off-by: liujunjie <liujunjie23@huawei.com> > --- > hw/input/ps2.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/hw/input/ps2.c b/hw/input/ps2.c index eeec618..fdfcadf 100644 > --- a/hw/input/ps2.c > +++ b/hw/input/ps2.c > @@ -927,7 +927,7 @@ static void ps2_common_post_load(PS2State *s) > > /* reset rptr/wptr/count */ > q->rptr = 0; > - q->wptr = size; > + q->wptr = (size == PS2_QUEUE_SIZE) ? 0 : size; > q->count = size; > s->update_irq(s->update_arg, q->count != 0); } > -- > 1.8.3.1 >
On Thu, Jun 14, 2018 at 10:50:47AM +0000, liujunjie (A) wrote: > ping Not much activity on input devices, so we have rare pull requests ... Preparing one now, with this patch added. cheers, Gerd
© 2016 - 2024 Red Hat, Inc.