W dniu 15.01.2018 o 16:13, Aleksey Kuleshov pisze:
> memset is not checked, so it's possible to go beyond the storage.
> Add checks and truncate requested length.
>
> Signed-off-by: Aleksey Kuleshov <rndfax@yandex.ru>
Acked-by: Marcin Krzemiński<mar.krzeminski@gmail.com>
> ---
> hw/block/m25p80.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c
> index ea142160b3..18ec501912 100644
> --- a/hw/block/m25p80.c
> +++ b/hw/block/m25p80.c
> @@ -539,6 +539,8 @@ static void flash_erase(Flash *s, int offset, FlashCMD cmd)
> uint32_t len;
> uint8_t capa_to_assert = 0;
>
> + assert(0 <= offset && offset < s->size);
> +
> switch (cmd) {
> case ERASE_4K:
> case ERASE4_4K:
> @@ -581,6 +583,14 @@ static void flash_erase(Flash *s, int offset, FlashCMD cmd)
> qemu_log_mask(LOG_GUEST_ERROR, "M25P80: erase with write protect!\n");
> return;
> }
> +
> + if (offset + len > s->size) {
> + qemu_log_mask(LOG_GUEST_ERROR,
> + "M25P80: trying to erase beyond the flash size! "
> + "Truncating the length...\n");
> + len = s->size - offset;
> + }
> +
> memset(s->storage + offset, 0xff, len);
> flash_sync_area(s, offset, len);
> }