From nobody Mon Feb 9 23:01:01 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1529376700789458.4812293404715; Mon, 18 Jun 2018 19:51:40 -0700 (PDT) Received: from localhost ([::1]:38771 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fV6k8-0002fb-1m for importer@patchew.org; Mon, 18 Jun 2018 22:51:40 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46416) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fV5ik-0002MV-3T for qemu-devel@nongnu.org; Mon, 18 Jun 2018 21:46:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fV5ij-0000Gb-7u for qemu-devel@nongnu.org; Mon, 18 Jun 2018 21:46:10 -0400 Received: from mail-oi0-x236.google.com ([2607:f8b0:4003:c06::236]:42973) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fV5ij-0000GQ-2B; Mon, 18 Jun 2018 21:46:09 -0400 Received: by mail-oi0-x236.google.com with SMTP id k190-v6so16695623oib.9; Mon, 18 Jun 2018 18:46:08 -0700 (PDT) Received: from localhost ([2600:1700:70:e488:b0ee:9bda:ee6f:91be]) by smtp.gmail.com with ESMTPSA id q7-v6sm15882369otq.39.2018.06.18.18.46.06 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 18 Jun 2018 18:46:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=4R6ARzY8+8VwJMFZpP/OCG0IArvc4QNiNxh6KffRUaU=; b=pi3eDgg8XC8wdHFaL1XuVYLw8Kt79OpqcWhaIyLWJdZc46aY2McG9KIw27lMIB3cUO ujcqLzZPU8mDAYUQETKs5dpqH5YvphKknp633DrG50PIMpAxDU3g/ubrXkZ63L/wmfMs 4LrqW78J40ZeVZDLePJbFQEr9r7nnzrY+jM66/8AaY0669PkCtWOi/32yn6tpNGwEsQl ck/NugDMJFjwfaZLucD6f3m0RIXAjENFB+2npHNmdUfrv32ff5Rk0oviIY2UuGVOXkRB y8INQW5HF5JRJ+4BJuFYaTcT3rkFhaWMqatsPHEQ7lEGbZdwm4UNoYIYn7KEVkmvqq4V CRIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=4R6ARzY8+8VwJMFZpP/OCG0IArvc4QNiNxh6KffRUaU=; b=fS28fsNMDzCxroYFKx9Td1+kM28FJRNJkBuSeZ+JI0K8UtrQliXVvFpviG1Q9Oka3h TWSHlyq9Wb7Vs99Nsmi/lLHdFUy5ylYiWLohUTawl8RUvu69OLadlG0RTZ30T1GWeHCs HKPVCfM8xgApMhzjxEGg/0y/1YKk4BYaw6TZKNywvCh8uSVJuEIFFJfWSaUI+EowZ3F0 +6UMPX8brVjD3cYZth+MIvhz28CryQd5ter2SbOJwiVrWI2N91n9+kHWe1OFO/FfSWg4 0EzV03HnVs5VnSC9Oi1rbbYzrKZIG67HM95ymHMmgzEvzSw/S+33RGeJx6tXv/SwZGnn XmDA== X-Gm-Message-State: APt69E0XzBNx8GfVSLNIDMqEbNIbpULeujZX0wBSEMYbs5nYzJIM2q4M 8PktgbGUD43x8KKTqL65jrXAsyh7vQc= X-Google-Smtp-Source: ADUXVKIBzCUVx85Rkv2GGZerJ5UIiN+C70qhGUqd/gVpSsmjGpuJafJrBm8ujsDyLIQIXPBZwIQQ3Q== X-Received: by 2002:aca:b782:: with SMTP id h124-v6mr8713245oif.7.1529372767877; Mon, 18 Jun 2018 18:46:07 -0700 (PDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 18 Jun 2018 20:42:22 -0500 Message-Id: <20180619014319.28272-57-mdroth@linux.vnet.ibm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20180619014319.28272-1-mdroth@linux.vnet.ibm.com> References: <20180619014319.28272-1-mdroth@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4003:c06::236 Subject: [Qemu-devel] [PATCH 056/113] hw/block/pflash_cfi: fix off-by-one error X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , qemu-stable@nongnu.org, =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZohoMail: RDKM_2 RSF_0 Z_629925259 SPT_0 From: Philippe Mathieu-Daud=C3=A9 ASAN reported: hw/block/pflash_cfi02.c:245:33: runtime error: index 82 out of bounds f= or type 'uint8_t [82]' Since the 'cfi_len' member is not used, remove it to keep the code safer. Cc: qemu-stable@nongnu.org Reported-by: AddressSanitizer Signed-off-by: Philippe Mathieu-Daud=C3=A9 Signed-off-by: Kevin Wolf (cherry picked from commit 07c13a71721d9f8c690b66752964e254af247475) Signed-off-by: Michael Roth --- hw/block/pflash_cfi01.c | 10 ++++------ hw/block/pflash_cfi02.c | 9 ++++----- 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/hw/block/pflash_cfi01.c b/hw/block/pflash_cfi01.c index 1113ab1ccf..2e8284001d 100644 --- a/hw/block/pflash_cfi01.c +++ b/hw/block/pflash_cfi01.c @@ -90,7 +90,6 @@ struct pflash_t { uint16_t ident1; uint16_t ident2; uint16_t ident3; - uint8_t cfi_len; uint8_t cfi_table[0x52]; uint64_t counter; unsigned int writeblock_size; @@ -153,7 +152,7 @@ static uint32_t pflash_cfi_query(pflash_t *pfl, hwaddr = offset) boff =3D offset >> (ctz32(pfl->bank_width) + ctz32(pfl->max_device_width) - ctz32(pfl->device_wid= th)); =20 - if (boff > pfl->cfi_len) { + if (boff >=3D sizeof(pfl->cfi_table)) { return 0; } /* Now we will construct the CFI response generated by a single @@ -385,10 +384,10 @@ static uint32_t pflash_read (pflash_t *pfl, hwaddr of= fset, boff =3D boff >> 2; } =20 - if (boff > pfl->cfi_len) { - ret =3D 0; - } else { + if (boff < sizeof(pfl->cfi_table)) { ret =3D pfl->cfi_table[boff]; + } else { + ret =3D 0; } } else { /* If we have a read larger than the bank_width, combine multi= ple @@ -791,7 +790,6 @@ static void pflash_cfi01_realize(DeviceState *dev, Erro= r **errp) pfl->cmd =3D 0; pfl->status =3D 0; /* Hardcoded CFI table */ - pfl->cfi_len =3D 0x52; /* Standard "QRY" string */ pfl->cfi_table[0x10] =3D 'Q'; pfl->cfi_table[0x11] =3D 'R'; diff --git a/hw/block/pflash_cfi02.c b/hw/block/pflash_cfi02.c index c81ddd3a99..75d1ae1026 100644 --- a/hw/block/pflash_cfi02.c +++ b/hw/block/pflash_cfi02.c @@ -83,7 +83,6 @@ struct pflash_t { uint16_t ident3; uint16_t unlock_addr0; uint16_t unlock_addr1; - uint8_t cfi_len; uint8_t cfi_table[0x52]; QEMUTimer *timer; /* The device replicates the flash memory across its memory space. Em= ulate @@ -235,10 +234,11 @@ static uint32_t pflash_read (pflash_t *pfl, hwaddr of= fset, break; case 0x98: /* CFI query mode */ - if (boff > pfl->cfi_len) - ret =3D 0; - else + if (boff < sizeof(pfl->cfi_table)) { ret =3D pfl->cfi_table[boff]; + } else { + ret =3D 0; + } break; } =20 @@ -663,7 +663,6 @@ static void pflash_cfi02_realize(DeviceState *dev, Erro= r **errp) pfl->cmd =3D 0; pfl->status =3D 0; /* Hardcoded CFI table (mostly from SG29 Spansion flash) */ - pfl->cfi_len =3D 0x52; /* Standard "QRY" string */ pfl->cfi_table[0x10] =3D 'Q'; pfl->cfi_table[0x11] =3D 'R'; --=20 2.11.0