[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 02/20] target-s390x: fix possible out of bounds read
From: |
Michael Tokarev |
Subject: |
[Qemu-devel] [PULL 02/20] target-s390x: fix possible out of bounds read |
Date: |
Thu, 11 Dec 2014 21:15:50 +0300 |
From: zhanghailiang <address@hidden>
Array index starts at 0, so the valid index of ext_queue array,
io_queue array, mchk_queue array should be MAX_EXT_QUEUE - 1,
MAX_IO_QUEUE - 1, MAX_MCHK_QUEUE - 1.
The original checks missed the invalid bound value, which will lead
possible out of bounds read in the follow codes.
Signed-off-by: zhanghailiang <address@hidden>
Signed-off-by: Michael Tokarev <address@hidden>
---
target-s390x/helper.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/target-s390x/helper.c b/target-s390x/helper.c
index 09aec7b..96a4f22 100644
--- a/target-s390x/helper.c
+++ b/target-s390x/helper.c
@@ -648,7 +648,7 @@ static void do_ext_interrupt(CPUS390XState *env)
cpu_abort(CPU(cpu), "Ext int w/o ext mask\n");
}
- if (env->ext_index < 0 || env->ext_index > MAX_EXT_QUEUE) {
+ if (env->ext_index < 0 || env->ext_index >= MAX_EXT_QUEUE) {
cpu_abort(CPU(cpu), "Ext queue overrun: %d\n", env->ext_index);
}
@@ -696,7 +696,7 @@ static void do_io_interrupt(CPUS390XState *env)
if (env->io_index[isc] < 0) {
continue;
}
- if (env->io_index[isc] > MAX_IO_QUEUE) {
+ if (env->io_index[isc] >= MAX_IO_QUEUE) {
cpu_abort(CPU(cpu), "I/O queue overrun for isc %d: %d\n",
isc, env->io_index[isc]);
}
@@ -754,7 +754,7 @@ static void do_mchk_interrupt(CPUS390XState *env)
cpu_abort(CPU(cpu), "Machine check w/o mchk mask\n");
}
- if (env->mchk_index < 0 || env->mchk_index > MAX_MCHK_QUEUE) {
+ if (env->mchk_index < 0 || env->mchk_index >= MAX_MCHK_QUEUE) {
cpu_abort(CPU(cpu), "Mchk queue overrun: %d\n", env->mchk_index);
}
--
2.1.3
- [Qemu-devel] [PULL 00/20] Trivial patches for 2014-12-11, Michael Tokarev, 2014/12/11
- [Qemu-devel] [PULL 05/20] virtio-bus: avoid breaking build when open DEBUG switch, Michael Tokarev, 2014/12/11
- [Qemu-devel] [PULL 04/20] acpi-build: Make DPRINTF working for acpi-build, Michael Tokarev, 2014/12/11
- [Qemu-devel] [PULL 03/20] acpi-build: adjust indention 8 -> 4 spaces, Michael Tokarev, 2014/12/11
- [Qemu-devel] [PULL 02/20] target-s390x: fix possible out of bounds read,
Michael Tokarev <=
- [Qemu-devel] [PULL 06/20] usb: delete redundant brackets in usb_host_handle_control(), Michael Tokarev, 2014/12/11
- [Qemu-devel] [PULL 15/20] qapi-schema: fix typo about change-vnc-password, Michael Tokarev, 2014/12/11
- [Qemu-devel] [PULL 07/20] Drop superfluous conditionals around qemu_opts_del(), Michael Tokarev, 2014/12/11
- [Qemu-devel] [PULL 19/20] hpet: increase spelling precision, Michael Tokarev, 2014/12/11
- [Qemu-devel] [PULL 14/20] fw_cfg: remove superfluous blank line, Michael Tokarev, 2014/12/11
- [Qemu-devel] [PULL 01/20] qmp: fix typo in input-send-event examples, Michael Tokarev, 2014/12/11
- [Qemu-devel] [PULL 13/20] get_maintainer.pl: Remove the --git-chief-penguins option, Michael Tokarev, 2014/12/11
- [Qemu-devel] [PULL 11/20] util: Use g_new() & friends where that makes obvious sense, Michael Tokarev, 2014/12/11
- [Qemu-devel] [PULL 18/20] pflash_cfi02.c: associate "cfi.pflash02" to "Storage devices" category, Michael Tokarev, 2014/12/11
- [Qemu-devel] [PULL 16/20] virtio: remove useless declaration of virtio_net_init(), Michael Tokarev, 2014/12/11