From patchwork Tue Jan 3 21:17:05 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jean-Christophe Dubois X-Patchwork-Id: 9495699 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 66DF360413 for ; Tue, 3 Jan 2017 21:17:39 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 59D5C1FE6A for ; Tue, 3 Jan 2017 21:17:39 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4E43B1FF26; Tue, 3 Jan 2017 21:17:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 7018627D0E for ; Tue, 3 Jan 2017 21:17:37 +0000 (UTC) Received: from localhost ([::1]:36116 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cOWSd-0007u0-M1 for patchwork-qemu-devel@patchwork.kernel.org; Tue, 03 Jan 2017 16:17:35 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40272) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cOWSM-0007sl-QD for qemu-devel@nongnu.org; Tue, 03 Jan 2017 16:17:19 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cOWSI-00045K-Rf for qemu-devel@nongnu.org; Tue, 03 Jan 2017 16:17:18 -0500 Received: from relay6-d.mail.gandi.net ([2001:4b98:c:538::198]:56506) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cOWSI-000458-LW for qemu-devel@nongnu.org; Tue, 03 Jan 2017 16:17:14 -0500 Received: from mfilter11-d.gandi.net (mfilter11-d.gandi.net [217.70.178.131]) by relay6-d.mail.gandi.net (Postfix) with ESMTP id 99669FB8A0; Tue, 3 Jan 2017 22:17:12 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mfilter11-d.gandi.net Received: from relay6-d.mail.gandi.net ([IPv6:::ffff:217.70.183.198]) by mfilter11-d.gandi.net (mfilter11-d.gandi.net [::ffff:10.0.15.180]) (amavisd-new, port 10024) with ESMTP id KqwLeF5kWPTk; Tue, 3 Jan 2017 22:17:11 +0100 (CET) X-Originating-IP: 78.235.240.156 Received: from localhost.localdomain (smm49-1-78-235-240-156.fbx.proxad.net [78.235.240.156]) (Authenticated sender: jcd@tribudubois.net) by relay6-d.mail.gandi.net (Postfix) with ESMTPSA id E91E5FB89E; Tue, 3 Jan 2017 22:17:09 +0100 (CET) From: Jean-Christophe Dubois To: qemu-devel@nongnu.org, peter.maydell@linaro.org, mar.krzeminski@gmail.com Date: Tue, 3 Jan 2017 22:17:05 +0100 Message-Id: <20170103211705.27876-1-jcd@tribudubois.net> X-Mailer: git-send-email 2.9.3 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4b98:c:538::198 Subject: [Qemu-devel] [PATCH] [m25p80] Abort in case we overrun the internal data buffer X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jean-Christophe Dubois Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP Signed-off-by: Jean-Christophe Dubois --- hw/block/m25p80.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c index d29ff4c..6c374cf 100644 --- a/hw/block/m25p80.c +++ b/hw/block/m25p80.c @@ -28,6 +28,7 @@ #include "hw/ssi/ssi.h" #include "qemu/bitops.h" #include "qemu/log.h" +#include "qemu/error-report.h" #include "qapi/error.h" #ifndef M25P80_ERR_DEBUG @@ -376,6 +377,8 @@ typedef enum { MAN_GENERIC, } Manufacturer; +#define _INTERNAL_DATA_SIZE 16 + typedef struct Flash { SSISlave parent_obj; @@ -386,7 +389,7 @@ typedef struct Flash { int page_size; uint8_t state; - uint8_t data[16]; + uint8_t data[_INTERNAL_DATA_SIZE]; uint32_t len; uint32_t pos; uint8_t needed_bytes; @@ -1114,6 +1117,12 @@ static uint32_t m25p80_transfer8(SSISlave *ss, uint32_t tx) case STATE_COLLECTING_DATA: case STATE_COLLECTING_VAR_LEN_DATA: + + if (s->len >= _INTERNAL_DATA_SIZE) { + error_report("Bug - Write overrun internal data buffer"); + abort(); + } + s->data[s->len] = (uint8_t)tx; s->len++; @@ -1123,6 +1132,12 @@ static uint32_t m25p80_transfer8(SSISlave *ss, uint32_t tx) break; case STATE_READING_DATA: + + if (s->pos >= _INTERNAL_DATA_SIZE) { + error_report("Bug - Read overrun internal data buffer"); + abort(); + } + r = s->data[s->pos]; s->pos++; if (s->pos == s->len) { @@ -1195,7 +1210,7 @@ static const VMStateDescription vmstate_m25p80 = { .pre_save = m25p80_pre_save, .fields = (VMStateField[]) { VMSTATE_UINT8(state, Flash), - VMSTATE_UINT8_ARRAY(data, Flash, 16), + VMSTATE_UINT8_ARRAY(data, Flash, _INTERNAL_DATA_SIZE), VMSTATE_UINT32(len, Flash), VMSTATE_UINT32(pos, Flash), VMSTATE_UINT8(needed_bytes, Flash),