1. Patchew
  2. QEMU
  3. View series

[PATCH] hw/i3c: Fix array bounds and storage in i3c_addr_is_rsvd()

Cédric Le Goater posted 1 patch 1 month, 1 week ago
Failed in applying to current master (apply log)
hw/i3c/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] hw/i3c: Fix array bounds and storage in i3c_addr_is_rsvd()
Posted by Cédric Le Goater 1 month, 1 week ago 
The size of the is_rsvd lookup table in i3c_addr_is_rsvd() is 255 but
should be 256 to cover all possible uint8_t address values and avoid
potential out-of-bounds access.

The array should be static too as it's a constant lookup table.

Signed-off-by: Cédric Le Goater <clg@redhat.com>
---
 hw/i3c/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/i3c/core.c b/hw/i3c/core.c
index 8a37099ce3ff..0a266e00a279 100644
--- a/hw/i3c/core.c
+++ b/hw/i3c/core.c
@@ -525,7 +525,7 @@ int i3c_target_ibi_finish(I3CTarget *t, uint8_t data)
 
 static bool i3c_addr_is_rsvd(uint8_t addr)
 {
-    const bool is_rsvd[255] = {
+    static const bool is_rsvd[256] = {
         [0x00] = true,
         [0x01] = true,
         [0x02] = true,
-- 
2.53.0
RE: [PATCH] hw/i3c: Fix array bounds and storage in i3c_addr_is_rsvd()
Posted by Jamin Lin 1 month, 1 week ago 
> Subject: [PATCH] hw/i3c: Fix array bounds and storage in i3c_addr_is_rsvd()
> 
> The size of the is_rsvd lookup table in i3c_addr_is_rsvd() is 255 but should be
> 256 to cover all possible uint8_t address values and avoid potential
> out-of-bounds access.
> 
> The array should be static too as it's a constant lookup table.
> 
> Signed-off-by: Cédric Le Goater <clg@redhat.com>
> ---
>  hw/i3c/core.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/i3c/core.c b/hw/i3c/core.c index 8a37099ce3ff..0a266e00a279
> 100644
> --- a/hw/i3c/core.c
> +++ b/hw/i3c/core.c
> @@ -525,7 +525,7 @@ int i3c_target_ibi_finish(I3CTarget *t, uint8_t data)
> 
>  static bool i3c_addr_is_rsvd(uint8_t addr)  {
> -    const bool is_rsvd[255] = {
> +    static const bool is_rsvd[256] = {
>          [0x00] = true,
>          [0x01] = true,
>          [0x02] = true,
> --
> 2.53.0

Reviewed-by: Jamin Lin <jamin_lin@aspeedtech.com>

Thanks,
Jamin
Re: [PATCH] hw/i3c: Fix array bounds and storage in i3c_addr_is_rsvd()
Posted by Nabih Estefan 1 month, 1 week ago 
On Mon, Mar 2, 2026 at 11:39 AM Cédric Le Goater <clg@redhat.com> wrote:
>
> The size of the is_rsvd lookup table in i3c_addr_is_rsvd() is 255 but
> should be 256 to cover all possible uint8_t address values and avoid
> potential out-of-bounds access.
>
> The array should be static too as it's a constant lookup table.
>
> Signed-off-by: Cédric Le Goater <clg@redhat.com>
> ---
>  hw/i3c/core.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/i3c/core.c b/hw/i3c/core.c
> index 8a37099ce3ff..0a266e00a279 100644
> --- a/hw/i3c/core.c
> +++ b/hw/i3c/core.c
> @@ -525,7 +525,7 @@ int i3c_target_ibi_finish(I3CTarget *t, uint8_t data)
>
>  static bool i3c_addr_is_rsvd(uint8_t addr)
>  {
> -    const bool is_rsvd[255] = {
> +    static const bool is_rsvd[256] = {

Given that we're using hex addressing for the values in is_rsvd, could
we make the size `0xff` so it maintains the same formatting?
Otherwise, it looks good to me.

Reviewed-by: Nabih Estefan <nabihestefan@google.com>

>          [0x00] = true,
>          [0x01] = true,
>          [0x02] = true,
> --
> 2.53.0
>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.