1. Patchew
  2. QEMU
  3. [PATCH v2 00/39] tests/qtest: Enable running qtest on Windows
  4. View patch

[PATCH v2 28/39] hw/pci-host: pnv_phb{3, 4}: Fix heap out-of-bound access failure

Bin Meng posted 39 patches 3 years, 4 months ago
There is a newer version of this series
[PATCH v2 28/39] hw/pci-host: pnv_phb{3, 4}: Fix heap out-of-bound access failure
Posted by Bin Meng 3 years, 4 months ago 
From: Xuzhou Cheng <xuzhou.cheng@windriver.com>

pnv_phb3_root_bus_info and pnv_phb4_root_bus_info are missing the
instance_size initialization. This results in accessing out-of-bound
memory when setting 'chip-id' and 'phb-id', and eventually crashes
glib's malloc functionality with the following message:

  "qemu-system-ppc64: GLib: ../glib-2.72.3/glib/gmem.c:131: failed to allocate 3232 bytes"

This issue was noticed only when running qtests with QEMU Windows
32-bit executable. Windows 64-bit, Linux 32/64-bit do not expose
this bug though.

Fixes: 9ae1329ee2fe ("ppc/pnv: Add models for POWER8 PHB3 PCIe Host bridge")
Fixes: 4f9924c4d4cf ("ppc/pnv: Add models for POWER9 PHB4 PCIe Host bridge")
Signed-off-by: Xuzhou Cheng <xuzhou.cheng@windriver.com>
Signed-off-by: Bin Meng <bin.meng@windriver.com>
---

Changes in v2:
- new patch: "hw/pci-host: pnv_phb{3,4}: Fix heap out-of-bound access failure"

 hw/pci-host/pnv_phb3.c | 1 +
 hw/pci-host/pnv_phb4.c | 1 +
 2 files changed, 2 insertions(+)

diff --git a/hw/pci-host/pnv_phb3.c b/hw/pci-host/pnv_phb3.c
index af8575c007..9054c393a2 100644
--- a/hw/pci-host/pnv_phb3.c
+++ b/hw/pci-host/pnv_phb3.c
@@ -1169,6 +1169,7 @@ static void pnv_phb3_root_bus_class_init(ObjectClass *klass, void *data)
 static const TypeInfo pnv_phb3_root_bus_info = {
     .name = TYPE_PNV_PHB3_ROOT_BUS,
     .parent = TYPE_PCIE_BUS,
+    .instance_size = sizeof(PnvPHB3RootBus),
     .class_init = pnv_phb3_root_bus_class_init,
 };
 
diff --git a/hw/pci-host/pnv_phb4.c b/hw/pci-host/pnv_phb4.c
index 824e1a73fb..ccbde841fc 100644
--- a/hw/pci-host/pnv_phb4.c
+++ b/hw/pci-host/pnv_phb4.c
@@ -1773,6 +1773,7 @@ static void pnv_phb4_root_bus_class_init(ObjectClass *klass, void *data)
 static const TypeInfo pnv_phb4_root_bus_info = {
     .name = TYPE_PNV_PHB4_ROOT_BUS,
     .parent = TYPE_PCIE_BUS,
+    .instance_size = sizeof(PnvPHB4RootBus),
     .class_init = pnv_phb4_root_bus_class_init,
 };
 
-- 
2.34.1
Re: [PATCH v2 28/39] hw/pci-host: pnv_phb{3, 4}: Fix heap out-of-bound access failure
Posted by Daniel Henrique Barboza 3 years, 4 months ago 
Bin,

Since I'll send a ppc pull request shortly, I'll queue up both this and patch 27 via
the ppc tree. These are good fixes that are independent of what happens with the
'tests/qtest: Enable running qtest on Windows​' series.


Thanks,


Daniel

On 9/20/22 07:31, Bin Meng wrote:
> From: Xuzhou Cheng <xuzhou.cheng@windriver.com>
> 
> pnv_phb3_root_bus_info and pnv_phb4_root_bus_info are missing the
> instance_size initialization. This results in accessing out-of-bound
> memory when setting 'chip-id' and 'phb-id', and eventually crashes
> glib's malloc functionality with the following message:
> 
>    "qemu-system-ppc64: GLib: ../glib-2.72.3/glib/gmem.c:131: failed to allocate 3232 bytes"
> 
> This issue was noticed only when running qtests with QEMU Windows
> 32-bit executable. Windows 64-bit, Linux 32/64-bit do not expose
> this bug though.
> 
> Fixes: 9ae1329ee2fe ("ppc/pnv: Add models for POWER8 PHB3 PCIe Host bridge")
> Fixes: 4f9924c4d4cf ("ppc/pnv: Add models for POWER9 PHB4 PCIe Host bridge")
> Signed-off-by: Xuzhou Cheng <xuzhou.cheng@windriver.com>
> Signed-off-by: Bin Meng <bin.meng@windriver.com>
> ---
> 
> Changes in v2:
> - new patch: "hw/pci-host: pnv_phb{3,4}: Fix heap out-of-bound access failure"
> 
>   hw/pci-host/pnv_phb3.c | 1 +
>   hw/pci-host/pnv_phb4.c | 1 +
>   2 files changed, 2 insertions(+)
> 
> diff --git a/hw/pci-host/pnv_phb3.c b/hw/pci-host/pnv_phb3.c
> index af8575c007..9054c393a2 100644
> --- a/hw/pci-host/pnv_phb3.c
> +++ b/hw/pci-host/pnv_phb3.c
> @@ -1169,6 +1169,7 @@ static void pnv_phb3_root_bus_class_init(ObjectClass *klass, void *data)
>   static const TypeInfo pnv_phb3_root_bus_info = {
>       .name = TYPE_PNV_PHB3_ROOT_BUS,
>       .parent = TYPE_PCIE_BUS,
> +    .instance_size = sizeof(PnvPHB3RootBus),
>       .class_init = pnv_phb3_root_bus_class_init,
>   };
>   
> diff --git a/hw/pci-host/pnv_phb4.c b/hw/pci-host/pnv_phb4.c
> index 824e1a73fb..ccbde841fc 100644
> --- a/hw/pci-host/pnv_phb4.c
> +++ b/hw/pci-host/pnv_phb4.c
> @@ -1773,6 +1773,7 @@ static void pnv_phb4_root_bus_class_init(ObjectClass *klass, void *data)
>   static const TypeInfo pnv_phb4_root_bus_info = {
>       .name = TYPE_PNV_PHB4_ROOT_BUS,
>       .parent = TYPE_PCIE_BUS,
> +    .instance_size = sizeof(PnvPHB4RootBus),
>       .class_init = pnv_phb4_root_bus_class_init,
>   };
>
Re: [PATCH v2 28/39] hw/pci-host: pnv_phb{3, 4}: Fix heap out-of-bound access failure
Posted by Bin Meng 3 years, 4 months ago 
On Tue, Sep 20, 2022 at 11:40 PM Daniel Henrique Barboza
<danielhb413@gmail.com> wrote:
>
> Bin,
>
> Since I'll send a ppc pull request shortly, I'll queue up both this and patch 27 via
> the ppc tree. These are good fixes that are independent of what happens with the
> 'tests/qtest: Enable running qtest on Windows' series.
>

Thank you Daniel.

Regards,
Bin
Re: [PATCH v2 28/39] hw/pci-host: pnv_phb{3, 4}: Fix heap out-of-bound access failure
Posted by Cédric Le Goater 3 years, 4 months ago 
On 9/20/22 12:31, Bin Meng wrote:
> From: Xuzhou Cheng <xuzhou.cheng@windriver.com>
> 
> pnv_phb3_root_bus_info and pnv_phb4_root_bus_info are missing the
> instance_size initialization. This results in accessing out-of-bound
> memory when setting 'chip-id' and 'phb-id', and eventually crashes
> glib's malloc functionality with the following message:
> 
>    "qemu-system-ppc64: GLib: ../glib-2.72.3/glib/gmem.c:131: failed to allocate 3232 bytes"
> 
> This issue was noticed only when running qtests with QEMU Windows
> 32-bit executable. Windows 64-bit, Linux 32/64-bit do not expose
> this bug though.
> 
> Fixes: 9ae1329ee2fe ("ppc/pnv: Add models for POWER8 PHB3 PCIe Host bridge")
> Fixes: 4f9924c4d4cf ("ppc/pnv: Add models for POWER9 PHB4 PCIe Host bridge")
> Signed-off-by: Xuzhou Cheng <xuzhou.cheng@windriver.com>
> Signed-off-by: Bin Meng <bin.meng@windriver.com>

Nice !

Reviewed-by: Cédric Le Goater <clg@kaod.org>

Thanks,

C.

> ---
> 
> Changes in v2:
> - new patch: "hw/pci-host: pnv_phb{3,4}: Fix heap out-of-bound access failure"
> 
>   hw/pci-host/pnv_phb3.c | 1 +
>   hw/pci-host/pnv_phb4.c | 1 +
>   2 files changed, 2 insertions(+)
> 
> diff --git a/hw/pci-host/pnv_phb3.c b/hw/pci-host/pnv_phb3.c
> index af8575c007..9054c393a2 100644
> --- a/hw/pci-host/pnv_phb3.c
> +++ b/hw/pci-host/pnv_phb3.c
> @@ -1169,6 +1169,7 @@ static void pnv_phb3_root_bus_class_init(ObjectClass *klass, void *data)
>   static const TypeInfo pnv_phb3_root_bus_info = {
>       .name = TYPE_PNV_PHB3_ROOT_BUS,
>       .parent = TYPE_PCIE_BUS,
> +    .instance_size = sizeof(PnvPHB3RootBus),
>       .class_init = pnv_phb3_root_bus_class_init,
>   };
>   
> diff --git a/hw/pci-host/pnv_phb4.c b/hw/pci-host/pnv_phb4.c
> index 824e1a73fb..ccbde841fc 100644
> --- a/hw/pci-host/pnv_phb4.c
> +++ b/hw/pci-host/pnv_phb4.c
> @@ -1773,6 +1773,7 @@ static void pnv_phb4_root_bus_class_init(ObjectClass *klass, void *data)
>   static const TypeInfo pnv_phb4_root_bus_info = {
>       .name = TYPE_PNV_PHB4_ROOT_BUS,
>       .parent = TYPE_PCIE_BUS,
> +    .instance_size = sizeof(PnvPHB4RootBus),
>       .class_init = pnv_phb4_root_bus_class_init,
>   };
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.