[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 33/36] ppc/spapr: Fix buffer overflow in spapr_popula
|
From: |
David Gibson |
|
Subject: |
[Qemu-devel] [PULL 33/36] ppc/spapr: Fix buffer overflow in spapr_populate_drconf_memory() |
|
Date: |
Wed, 23 Sep 2015 11:55:35 +1000 |
From: Thomas Huth <address@hidden>
The buffer that is allocated in spapr_populate_drconf_memory()
is used for setting both, the "ibm,dynamic-memory" and the
"ibm,associativity-lookup-arrays" property. However, only the
size of the first one is taken into account when allocating the
memory. So if the length of the second property is larger than
the length of the first one, we run into a buffer overflow here!
Fix it by taking the length of the second property into account,
too.
Fixes: "spapr: Support ibm,dynamic-reconfiguration-memory" patch
Signed-off-by: Thomas Huth <address@hidden>
Reviewed-by: David Gibson <address@hidden>
Signed-off-by: David Gibson <address@hidden>
---
hw/ppc/spapr.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 59fc814..1333375 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -725,9 +725,12 @@ static int spapr_populate_drconf_memory(sPAPRMachineState
*spapr, void *fdt)
uint32_t *int_buf, *cur_index, buf_len;
int nr_nodes = nb_numa_nodes ? nb_numa_nodes : 1;
- /* Allocate enough buffer size to fit in ibm,dynamic-memory */
- buf_len = nr_lmbs * SPAPR_DR_LMB_LIST_ENTRY_SIZE * sizeof(uint32_t) +
- sizeof(uint32_t);
+ /*
+ * Allocate enough buffer size to fit in ibm,dynamic-memory
+ * or ibm,associativity-lookup-arrays
+ */
+ buf_len = MAX(nr_lmbs * SPAPR_DR_LMB_LIST_ENTRY_SIZE + 1, nr_nodes * 4 + 2)
+ * sizeof(uint32_t);
cur_index = int_buf = g_malloc0(buf_len);
offset = fdt_add_subnode(fdt, 0, "ibm,dynamic-reconfiguration-memory");
--
2.4.3
- [Qemu-devel] [PULL 17/36] spapr_drc: don't allow 'empty' DRCs to be unisolated or allocated, (continued)
- [Qemu-devel] [PULL 17/36] spapr_drc: don't allow 'empty' DRCs to be unisolated or allocated, David Gibson, 2015/09/22
- [Qemu-devel] [PULL 19/36] spapr_drc: use RTAS return codes for methods called by RTAS, David Gibson, 2015/09/22
- [Qemu-devel] [PULL 21/36] spapr: Use QEMU limit for maximum CPUs number, David Gibson, 2015/09/22
- [Qemu-devel] [PULL 35/36] sPAPR: Revert don't enable EEH on emulated PCI devices, David Gibson, 2015/09/22
- [Qemu-devel] [PULL 26/36] spapr: Don't allow memory hotplug to memory less nodes, David Gibson, 2015/09/22
- [Qemu-devel] [PULL 30/36] spapr: Support hotplug by specifying DRC count, David Gibson, 2015/09/22
- [Qemu-devel] [PULL 29/36] spapr: Revert to address@hidden representation for non-hotplugged memory, David Gibson, 2015/09/22
- [Qemu-devel] [PULL 23/36] spapr: Support ibm, dynamic-reconfiguration-memory, David Gibson, 2015/09/22
- [Qemu-devel] [PULL 36/36] sPAPR: Enable EEH on VFIO PCI device only, David Gibson, 2015/09/22
- [Qemu-devel] [PULL 28/36] spapr: Populate ibm, associativity-lookup-arrays correctly for non-NUMA, David Gibson, 2015/09/22
- [Qemu-devel] [PULL 33/36] ppc/spapr: Fix buffer overflow in spapr_populate_drconf_memory(),
David Gibson <=
- [Qemu-devel] [PULL 31/36] spapr: Move memory hotplug to RTAS_LOG_V6_HP_ID_DRC_COUNT type, David Gibson, 2015/09/22
- [Qemu-devel] [PULL 32/36] spapr: Fix default NUMA node allocation for threads, David Gibson, 2015/09/22
- [Qemu-devel] [PULL 25/36] spapr: Memory hotplug support, David Gibson, 2015/09/22
- [Qemu-devel] [PULL 34/36] ppc/spapr: Implement H_RANDOM hypercall in QEMU, David Gibson, 2015/09/22
- [Qemu-devel] [PULL 13/36] pseries: Update SLOF firmware image to qemu-slof-20150813, David Gibson, 2015/09/22
- Re: [Qemu-devel] [PULL 00/36] spapr-next queue 20150923, Peter Maydell, 2015/09/23