Right now all subclasses of TYPE_ISA_SUPERIO have to specify an instance_size,
because the ISASuperIODevice struct adds fields to ISADevice but the type does
not include the increased instance size.  Failure to do so results in an access
past the bounds of struct ISADevice as soon as isa_superio_realize is called.
Fix this by specifying the instance_size already in the superclass.

Cc: Bernhard Beschow <shentey@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 hw/isa/isa-superio.c       | 2 +-
 hw/isa/smc37c669-superio.c | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/hw/isa/isa-superio.c b/hw/isa/isa-superio.c
index e06a548c682..98d50844f71 100644
--- a/hw/isa/isa-superio.c
+++ b/hw/isa/isa-superio.c
@@ -187,6 +187,7 @@ static const TypeInfo isa_superio_type_info = {
     .abstract = true,
     .class_size = sizeof(ISASuperIOClass),
     .class_init = isa_superio_class_init,
+    .instance_size = sizeof(ISASuperIODevice),
 };
 
 /* SMS FDC37M817 Super I/O */
@@ -203,7 +204,6 @@ static void fdc37m81x_class_init(ObjectClass *klass, void *data)
 static const TypeInfo fdc37m81x_type_info = {
     .name          = TYPE_FDC37M81X_SUPERIO,
     .parent        = TYPE_ISA_SUPERIO,
-    .instance_size = sizeof(ISASuperIODevice),
     .class_init    = fdc37m81x_class_init,
 };
 
diff --git a/hw/isa/smc37c669-superio.c b/hw/isa/smc37c669-superio.c
index 388e2ed9371..d2e58c9a895 100644
--- a/hw/isa/smc37c669-superio.c
+++ b/hw/isa/smc37c669-superio.c
@@ -85,7 +85,6 @@ static void smc37c669_class_init(ObjectClass *klass, void *data)
 static const TypeInfo smc37c669_type_info = {
     .name          = TYPE_SMC37C669_SUPERIO,
     .parent        = TYPE_ISA_SUPERIO,
-    .instance_size = sizeof(ISASuperIODevice),
     .class_size    = sizeof(ISASuperIOClass),
     .class_init    = smc37c669_class_init,
 };
-- 
2.43.0

On 7/2/24 12:14, Paolo Bonzini wrote:
> Right now all subclasses of TYPE_ISA_SUPERIO have to specify an instance_size,
> because the ISASuperIODevice struct adds fields to ISADevice but the type does
> not include the increased instance size.  Failure to do so results in an access
> past the bounds of struct ISADevice as soon as isa_superio_realize is called.
> Fix this by specifying the instance_size already in the superclass.
> 
> Cc: Bernhard Beschow <shentey@gmail.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
>   hw/isa/isa-superio.c       | 2 +-
>   hw/isa/smc37c669-superio.c | 1 -
>   2 files changed, 1 insertion(+), 2 deletions(-)

Oops, thanks!

Fixes: 4c3119a6e3 ("hw/isa/superio: Factor out the parallel code from 
pc87312.c")
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>

Am 7. Februar 2024 19:03:30 UTC schrieb "Philippe Mathieu-Daudé" <philmd@linaro.org>:
>On 7/2/24 12:14, Paolo Bonzini wrote:
>> Right now all subclasses of TYPE_ISA_SUPERIO have to specify an instance_size,
>> because the ISASuperIODevice struct adds fields to ISADevice but the type does
>> not include the increased instance size.  Failure to do so results in an access
>> past the bounds of struct ISADevice as soon as isa_superio_realize is called.
>> Fix this by specifying the instance_size already in the superclass.
>> 
>> Cc: Bernhard Beschow <shentey@gmail.com>
>> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
>> ---
>>   hw/isa/isa-superio.c       | 2 +-
>>   hw/isa/smc37c669-superio.c | 1 -
>>   2 files changed, 1 insertion(+), 2 deletions(-)
>
>Oops, thanks!
>
>Fixes: 4c3119a6e3 ("hw/isa/superio: Factor out the parallel code from pc87312.c")
>Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>

Fixes a latent bug which thankfully isn't materialized at the moment.

Reviewed-by: Bernhard Beschow <shentey@gmail.com>