|
 |
8be556 |
From 0677491b99e29e3bdbf313121077187439cca727 Mon Sep 17 00:00:00 2001
|
|
|
8be556 |
From: Xiao Wang <jasowang@redhat.com>
|
|
|
8be556 |
Date: Tue, 7 Jul 2015 09:19:06 +0200
|
|
|
8be556 |
Subject: [PATCH 178/217] virito-pci: fix OVERRUN problem
|
|
|
8be556 |
|
|
|
8be556 |
Message-id: <1436260751-25015-64-git-send-email-jasowang@redhat.com>
|
|
|
8be556 |
Patchwork-id: 66838
|
|
|
8be556 |
O-Subject: [RHEL7.2 qemu-kvm-rhev PATCH V2 63/68] virito-pci: fix OVERRUN problem
|
|
|
8be556 |
Bugzilla: 1227343
|
|
|
8be556 |
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
|
|
|
8be556 |
RH-Acked-by: David Gibson <dgibson@redhat.com>
|
|
|
8be556 |
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
|
|
|
8be556 |
RH-Acked-by: Thomas Huth <thuth@redhat.com>
|
|
|
8be556 |
|
|
|
8be556 |
From: Gonglei <arei.gonglei@huawei.com>
|
|
|
8be556 |
|
|
|
8be556 |
Overrunning array "proxy->guest_features" of 2 4-byte
|
|
|
8be556 |
elements at element index 2 (byte offset 8) using index
|
|
|
8be556 |
"proxy->gfselect" (which evaluates to 2). Normally, the
|
|
|
8be556 |
Linux kernel driver just read/write '0' or '1' as the
|
|
|
8be556 |
"proxy->gfselect" values, so using '<' instead of '=<' to
|
|
|
8be556 |
make coverity happy and avoid potential harm.
|
|
|
8be556 |
|
|
|
8be556 |
Cc: Michael S. Tsirkin <mst@redhat.com>
|
|
|
8be556 |
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
|
|
|
8be556 |
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
|
|
8be556 |
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
|
8be556 |
|
|
|
8be556 |
(cherry picked from commit 3750dabc69d76f0938cc726a64a70e4ae2fe21df)
|
|
|
8be556 |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
8be556 |
---
|
|
|
8be556 |
hw/virtio/virtio-pci.c | 4 ++--
|
|
|
8be556 |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
8be556 |
|
|
|
8be556 |
diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
|
|
|
8be556 |
index 1aba4e2..9b5f009 100644
|
|
|
8be556 |
--- a/hw/virtio/virtio-pci.c
|
|
|
8be556 |
+++ b/hw/virtio/virtio-pci.c
|
|
|
8be556 |
@@ -977,7 +977,7 @@ static uint64_t virtio_pci_common_read(void *opaque, hwaddr addr,
|
|
|
8be556 |
val = proxy->gfselect;
|
|
|
8be556 |
break;
|
|
|
8be556 |
case VIRTIO_PCI_COMMON_GF:
|
|
|
8be556 |
- if (proxy->gfselect <= ARRAY_SIZE(proxy->guest_features)) {
|
|
|
8be556 |
+ if (proxy->gfselect < ARRAY_SIZE(proxy->guest_features)) {
|
|
|
8be556 |
val = proxy->guest_features[proxy->gfselect];
|
|
|
8be556 |
}
|
|
|
8be556 |
break;
|
|
|
8be556 |
@@ -1052,7 +1052,7 @@ static void virtio_pci_common_write(void *opaque, hwaddr addr,
|
|
|
8be556 |
proxy->gfselect = val;
|
|
|
8be556 |
break;
|
|
|
8be556 |
case VIRTIO_PCI_COMMON_GF:
|
|
|
8be556 |
- if (proxy->gfselect <= ARRAY_SIZE(proxy->guest_features)) {
|
|
|
8be556 |
+ if (proxy->gfselect < ARRAY_SIZE(proxy->guest_features)) {
|
|
|
8be556 |
proxy->guest_features[proxy->gfselect] = val;
|
|
|
8be556 |
virtio_set_features(vdev,
|
|
|
8be556 |
(((uint64_t)proxy->guest_features[1]) << 32) |
|
|
|
8be556 |
--
|
|
|
8be556 |
1.8.3.1
|
|
|
8be556 |
|