[v1] aspeed queue

[PULL 24/38] hw/i3c: Fix array bounds and storage in i3c_addr_is_rsvd()

Cédric Le Goater posted 38 patches 1 month, 1 week ago

Diff against v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v1 v2 v2 v2 v2
Download mbox

Maintainers: Paolo Bonzini <pbonzini@redhat.com>, Peter Maydell <peter.maydell@linaro.org>, "Cédric Le Goater" <clg@kaod.org>, Steven Lee <steven_lee@aspeedtech.com>, Troy Lee <leetroy@gmail.com>, Jamin Lin <jamin_lin@aspeedtech.com>, Andrew Jeffery <andrew@codeconstruct.com.au>, Joel Stanley <joel@jms.id.au>, Joe Komlodi <komlodi@google.com>, Nabih Estefan <nabihestefan@google.com>, "Marc-André Lureau" <marcandre.lureau@redhat.com>, "Daniel P. Berrangé" <berrange@redhat.com>, "Philippe Mathieu-Daudé" <philmd@linaro.org>

There is a newer version of this series

Expand all Fold all

[PULL 24/38] hw/i3c: Fix array bounds and storage in i3c_addr_is_rsvd()

Posted by Cédric Le Goater 1 month, 1 week ago

The size of the is_rsvd lookup table in i3c_addr_is_rsvd() is 255 but
should be 256 to cover all possible uint8_t address values and avoid
potential out-of-bounds access.

The array should be static too as it's a constant lookup table.

Reviewed-by: Jamin Lin <jamin_lin@aspeedtech.com>
Reviewed-by: Nabih Estefan <nabihestefan@google.com>
Link: https://lore.kernel.org/qemu-devel/20260302193931.382228-1-clg@redhat.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
---
 hw/i3c/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/i3c/core.c b/hw/i3c/core.c
index 8a37099ce3ff..0a266e00a279 100644
--- a/hw/i3c/core.c
+++ b/hw/i3c/core.c
@@ -525,7 +525,7 @@ int i3c_target_ibi_finish(I3CTarget *t, uint8_t data)
 
 static bool i3c_addr_is_rsvd(uint8_t addr)
 {
-    const bool is_rsvd[255] = {
+    static const bool is_rsvd[256] = {
         [0x00] = true,
         [0x01] = true,
         [0x02] = true,
-- 
2.53.0