qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] Re: [RFT][PATCH 01/15] hpet: Catch out-of-bounds timer acce

From: Juan Quintela
Subject: [Qemu-devel] Re: [RFT][PATCH 01/15] hpet: Catch out-of-bounds timer access
Date: Mon, 24 May 2010 22:34:54 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1 (gnu/linux) 
Jan Kiszka <address@hidden> wrote:
> From: Jan Kiszka <address@hidden>
>
> Also prevent out-of-bounds write access to the timers but don't spam the
> host console if it triggers.
>
> Signed-off-by: Jan Kiszka <address@hidden>
> ---
>  hw/hpet.c |    6 +++++-
>  1 files changed, 5 insertions(+), 1 deletions(-)
>
> diff --git a/hw/hpet.c b/hw/hpet.c
> index 8729fb2..1980906 100644
> --- a/hw/hpet.c
> +++ b/hw/hpet.c
> @@ -294,7 +294,7 @@ static uint32_t hpet_ram_readl(void *opaque, 
> target_phys_addr_t addr)
>      if (index >= 0x100 && index <= 0x3ff) {
>          uint8_t timer_id = (addr - 0x100) / 0x20;
>          if (timer_id > HPET_NUM_TIMERS - 1) {
> -            printf("qemu: timer id out of range\n");
> +            DPRINTF("qemu: timer id out of range\n");
>              return 0;
>          }
>          HPETTimer *timer = &s->timer[timer_id];
> @@ -383,6 +383,10 @@ static void hpet_ram_writel(void *opaque, 
> target_phys_addr_t addr,
>          DPRINTF("qemu: hpet_ram_writel timer_id = %#x \n", timer_id);

if you are going to check timer_id, check it before accessing the array?

>          HPETTimer *timer = &s->timer[timer_id];
>  
> +        if (timer_id > HPET_NUM_TIMERS - 1) {
> +            DPRINTF("qemu: timer id out of range\n");
> +            return;
> +        }
>          switch ((addr - 0x100) % 0x20) {
>              case HPET_TN_CFG:
>                  DPRINTF("qemu: hpet_ram_writel HPET_TN_CFG\n");
reply via email to
[Prev in Thread] Current Thread [Next in Thread]