From nobody Wed Apr 16 06:29:51 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1513190812158587.3806576175584; Wed, 13 Dec 2017 10:46:52 -0800 (PST) Received: from localhost ([::1]:36981 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ePC3N-0007lF-D8 for importer@patchew.org; Wed, 13 Dec 2017 13:46:49 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:51907) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ePBWt-00055O-Bl for qemu-devel@nongnu.org; Wed, 13 Dec 2017 13:13:16 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ePBWp-0008EL-Ho for qemu-devel@nongnu.org; Wed, 13 Dec 2017 13:13:15 -0500 Received: from orth.archaic.org.uk ([2001:8b0:1d0::2]:39154) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ePBWp-0008CR-B4 for qemu-devel@nongnu.org; Wed, 13 Dec 2017 13:13:11 -0500 Received: from pm215 by orth.archaic.org.uk with local (Exim 4.89) (envelope-from ) id 1ePBWo-0007qE-3n for qemu-devel@nongnu.org; Wed, 13 Dec 2017 18:13:10 +0000 From: Peter Maydell To: qemu-devel@nongnu.org Date: Wed, 13 Dec 2017 18:12:37 +0000 Message-Id: <1513188761-20784-40-git-send-email-peter.maydell@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1513188761-20784-1-git-send-email-peter.maydell@linaro.org> References: <1513188761-20784-1-git-send-email-peter.maydell@linaro.org> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2001:8b0:1d0::2 Subject: [Qemu-devel] [PULL 39/43] hw/display/tc6393xb: limit irq handler index to TC6393XB_GPIOS X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Prasad J Pandit The ctz32() routine could return a value greater than TC6393XB_GPIOS=3D16, because the device has 24 GPIO level bits but we only implement 16 outgoing lines. This could lead to an OOB array access. Mask 'level' to avoid it. Reported-by: Moguofang Signed-off-by: Prasad J Pandit Message-id: 20171212041539.25700-1-ppandit@redhat.com Reviewed-by: Peter Maydell Signed-off-by: Peter Maydell --- hw/display/tc6393xb.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/display/tc6393xb.c b/hw/display/tc6393xb.c index 74d10af..0ae6360 100644 --- a/hw/display/tc6393xb.c +++ b/hw/display/tc6393xb.c @@ -172,6 +172,7 @@ static void tc6393xb_gpio_handler_update(TC6393xbState = *s) int bit; =20 level =3D s->gpio_level & s->gpio_dir; + level &=3D MAKE_64BIT_MASK(0, TC6393XB_GPIOS); =20 for (diff =3D s->prev_level ^ level; diff; diff ^=3D 1 << bit) { bit =3D ctz32(diff); --=20 2.7.4