[Qemu-devel] [PULL 14/37] spapr: Fix integer overflow during migration (

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PULL 14/37] spapr: Fix integer overflow during migration (

From:	Alexander Graf
Subject:	[Qemu-devel] [PULL 14/37] spapr: Fix integer overflow during migration (TCG)
Date:	Wed, 7 Jan 2015 16:20:25 +0100

From: Samuel Mendoza-Jonas <address@hidden>

The n_valid and n_invalid fields are unsigned short integers but it is
possible to have more than 65535 entries in a contiguous hunk, overflowing
the field. This results in an incorrect HTAB being sent to the destination
during migration.

Signed-off-by: Samuel Mendoza-Jonas <address@hidden>
Reviewed-by: Alexey Kardashevskiy <address@hidden>
Signed-off-by: Alexander Graf <address@hidden>
---
 hw/ppc/spapr.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 869b721..765a44c 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -1065,7 +1065,7 @@ static void htab_save_first_pass(QEMUFile *f, 
sPAPREnvironment *spapr,
 
         /* Consume valid HPTEs */
         chunkstart = index;
-        while ((index < htabslots)
+        while ((index < htabslots) && (index - chunkstart < USHRT_MAX)
                && HPTE_VALID(HPTE(spapr->htab, index))) {
             index++;
             CLEAN_HPTE(HPTE(spapr->htab, index));
@@ -1117,7 +1117,7 @@ static int htab_save_later_pass(QEMUFile *f, 
sPAPREnvironment *spapr,
 
         chunkstart = index;
         /* Consume valid dirty HPTEs */
-        while ((index < htabslots)
+        while ((index < htabslots) && (index - chunkstart < USHRT_MAX)
                && HPTE_DIRTY(HPTE(spapr->htab, index))
                && HPTE_VALID(HPTE(spapr->htab, index))) {
             CLEAN_HPTE(HPTE(spapr->htab, index));
@@ -1127,7 +1127,7 @@ static int htab_save_later_pass(QEMUFile *f, 
sPAPREnvironment *spapr,
 
         invalidstart = index;
         /* Consume invalid dirty HPTEs */
-        while ((index < htabslots)
+        while ((index < htabslots) && (index - invalidstart < USHRT_MAX)
                && HPTE_DIRTY(HPTE(spapr->htab, index))
                && !HPTE_VALID(HPTE(spapr->htab, index))) {
             CLEAN_HPTE(HPTE(spapr->htab, index));
-- 
1.8.1.4

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PULL 03/37] PPC: mpc8554ds: Tell user about exceeding RAM limits, (continued)
- [Qemu-devel] [PULL 03/37] PPC: mpc8554ds: Tell user about exceeding RAM limits, Alexander Graf, 2015/01/07
- [Qemu-devel] [PULL 02/37] PPC: e500: Move CCSR and MMIO space to upper end of address space, Alexander Graf, 2015/01/07
- [Qemu-devel] [PULL 22/37] target-ppc: Introduce tm_enabled Bit to CPU State, Alexander Graf, 2015/01/07
- [Qemu-devel] [PULL 05/37] target-ppc: Load/Store Vector Element Storage Alignment, Alexander Graf, 2015/01/07
- [Qemu-devel] [PULL 08/37] target-ppc: mffs. Should Set CR1 from FPSCR Bits, Alexander Graf, 2015/01/07
- [Qemu-devel] [PULL 13/37] spapr: Fix stale HTAB during live migration (KVM), Alexander Graf, 2015/01/07
- [Qemu-devel] [PULL 16/37] device-tree: fix memory leak, Alexander Graf, 2015/01/07
- [Qemu-devel] [PULL 27/37] target-ppc: Introduce tcheck, Alexander Graf, 2015/01/07
- [Qemu-devel] [PULL 23/37] target-ppc: Power8 Supports Transactional Memory, Alexander Graf, 2015/01/07
- [Qemu-devel] [PULL 06/37] target-ppc: VXSQRT Should Not Be Set for NaNs, Alexander Graf, 2015/01/07
- [Qemu-devel] [PULL 14/37] spapr: Fix integer overflow during migration (TCG), Alexander Graf <=
- [Qemu-devel] [PULL 20/37] target-ppc: Introduce Instruction Type for Transactional Memory, Alexander Graf, 2015/01/07
- [Qemu-devel] [PULL 04/37] PPC: e500 pci host: Add support for ATMUs, Alexander Graf, 2015/01/07
- [Qemu-devel] [PULL 31/37] target-ppc: Cast ssize_t to size_t before printing with %zx, Alexander Graf, 2015/01/07
- [Qemu-devel] [PULL 30/37] target-ppc: Mark SR() and gen_sync_exception() as !CONFIG_USER_ONLY, Alexander Graf, 2015/01/07
- [Qemu-devel] [PULL 10/37] target-ppc: Eliminate set_fprf Argument From gen_compute_fprf, Alexander Graf, 2015/01/07
- [Qemu-devel] [PULL 17/37] ppc: do not use get_clock_realtime(), Alexander Graf, 2015/01/07
- [Qemu-devel] [PULL 12/37] target-ppc: explicitly save page table headers in big endian, Alexander Graf, 2015/01/07
- [Qemu-devel] [PULL 21/37] target-ppc: Introduce Feature Flag for Transactional Memory, Alexander Graf, 2015/01/07
- [Qemu-devel] [PULL 07/37] target-ppc: Fix Floating Point Move Instructions That Set CR1, Alexander Graf, 2015/01/07
- [Qemu-devel] [PULL 01/37] PPC: e500: Move CCSR definition to params, Alexander Graf, 2015/01/07

Prev by Date: [Qemu-devel] [PULL 06/37] target-ppc: VXSQRT Should Not Be Set for NaNs
Next by Date: [Qemu-devel] [PULL 20/37] target-ppc: Introduce Instruction Type for Transactional Memory
Previous by thread: [Qemu-devel] [PULL 06/37] target-ppc: VXSQRT Should Not Be Set for NaNs
Next by thread: [Qemu-devel] [PULL 20/37] target-ppc: Introduce Instruction Type for Transactional Memory
Index(es):
- Date
- Thread