[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 39/53] spapr_vty: lookup should only return valid V
|
From: |
Michael Roth |
|
Subject: |
[Qemu-stable] [PATCH 39/53] spapr_vty: lookup should only return valid VTY objects |
|
Date: |
Thu, 30 Jul 2015 06:32:54 -0500 |
From: David Gibson <address@hidden>
If a guest passes the reg property of a valid VIO object that is not a VTY
to either H_GET_TERM_CHAR or H_PUT_TERM_CHAR, QEMU hits a dynamic cast
assertion and aborts.
PAPR+ says "Hypervisor checks the termno parameter for validity against the
Vterm IOA unit addresses assigned to the partition, else return H_Parameter."
This patch adds a type check to ensure vty_lookup() either returns a pointer
to a valid VTY object or NULL. H_GET_TERM_CHAR and H_PUT_TERM_CHAR will
now return H_PARAMETER to the guest instead of crashing.
The patch has no effect on the reg == 0 hack used to implement the RTAS call
display-character.
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: David Gibson <address@hidden>
Signed-off-by: Alexander Graf <address@hidden>
(cherry picked from commit 0f888bfaddfc5f55b0d82cde2e1164658a672375)
Signed-off-by: Michael Roth <address@hidden>
---
hw/char/spapr_vty.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/char/spapr_vty.c b/hw/char/spapr_vty.c
index 4e464bd..c7f824e 100644
--- a/hw/char/spapr_vty.c
+++ b/hw/char/spapr_vty.c
@@ -228,6 +228,10 @@ VIOsPAPRDevice *vty_lookup(sPAPREnvironment *spapr,
target_ulong reg)
return spapr_vty_get_default(spapr->vio_bus);
}
+ if (!object_dynamic_cast(OBJECT(sdev), TYPE_VIO_SPAPR_VTY_DEVICE)) {
+ return NULL;
+ }
+
return sdev;
}
--
1.9.1
- [Qemu-stable] [PATCH 29/53] block: Add bdrv_get_block_status_above, (continued)
- [Qemu-stable] [PATCH 29/53] block: Add bdrv_get_block_status_above, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 32/53] block: Fix dirty bitmap in bdrv_co_discard, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 33/53] qemu-iotests: Make block job methods common, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 31/53] mirror: Do zero write on target if sectors not allocated, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 30/53] qmp: Add optional bool "unmap" to drive-mirror, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 34/53] qemu-iotests: Add test case for mirror with unmap, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 36/53] iotests: add QMP event waiting queue, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 35/53] iotests: Use event_wait in wait_ready, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 37/53] block/nfs: limit maximum readahead size to 1MB, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 38/53] s390x/ipl: Fix boot if no bootindex was specified, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 39/53] spapr_vty: lookup should only return valid VTY objects,
Michael Roth <=
- [Qemu-stable] [PATCH 03/53] Strip brackets from vnc host, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 42/53] block: Initialize local_err in bdrv_append_temp_snapshot, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 43/53] mips/kvm: Fix Big endian 32-bit register access, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 02/53] block/iscsi: do not forget to logout from target, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 45/53] vfio/pci: Fix RTL8168 NIC quirks, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 46/53] virtio-net: unbreak any layout, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 40/53] target-ppc: fix hugepage support when using memory-backend-file, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 44/53] mips/kvm: Sign extend registers written to KVM, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 48/53] scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158), Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 47/53] vfio/pci: Fix bootindex, Michael Roth, 2015/07/30