59 lines
2.1 KiB
Diff
59 lines
2.1 KiB
Diff
|
From 66f8fd9dda312191b78d2a2ba2848bcee76127a2 Mon Sep 17 00:00:00 2001
|
||
|
From: "Gabriel L. Somlo" <somlo@cmu.edu>
|
||
|
Date: Thu, 5 Nov 2015 09:32:50 -0500
|
||
|
Subject: [PATCH] fw_cfg: avoid calculating invalid current entry pointer
|
||
|
MIME-Version: 1.0
|
||
|
Content-Type: text/plain; charset=UTF-8
|
||
|
Content-Transfer-Encoding: 8bit
|
||
|
|
||
|
When calculating a pointer to the currently selected fw_cfg item, the
|
||
|
following is used:
|
||
|
|
||
|
FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
|
||
|
|
||
|
When s->cur_entry is FW_CFG_INVALID, we are calculating the address of
|
||
|
a non-existent element in s->entries[arch][...], which is undefined.
|
||
|
|
||
|
This patch ensures the resulting entry pointer is set to NULL whenever
|
||
|
s->cur_entry is FW_CFG_INVALID.
|
||
|
|
||
|
Reported-by: Laszlo Ersek <lersek@redhat.com>
|
||
|
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||
|
Signed-off-by: Gabriel Somlo <somlo@cmu.edu>
|
||
|
Message-id: 1446733972-1602-5-git-send-email-somlo@cmu.edu
|
||
|
Cc: Marc Marí <markmb@redhat.com>
|
||
|
Signed-off-by: Gabriel Somlo <somlo@cmu.edu>
|
||
|
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||
|
---
|
||
|
hw/nvram/fw_cfg.c | 6 ++++--
|
||
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
|
||
|
index c2d3a0a..046fa74 100644
|
||
|
--- a/hw/nvram/fw_cfg.c
|
||
|
+++ b/hw/nvram/fw_cfg.c
|
||
|
@@ -277,7 +277,8 @@ static int fw_cfg_select(FWCfgState *s, uint16_t key)
|
||
|
static uint8_t fw_cfg_read(FWCfgState *s)
|
||
|
{
|
||
|
int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
|
||
|
- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
|
||
|
+ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL :
|
||
|
+ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
|
||
|
uint8_t ret;
|
||
|
|
||
|
if (s->cur_entry == FW_CFG_INVALID || !e->data || s->cur_offset >= e->len)
|
||
|
@@ -342,7 +343,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s)
|
||
|
}
|
||
|
|
||
|
arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
|
||
|
- e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
|
||
|
+ e = (s->cur_entry == FW_CFG_INVALID) ? NULL :
|
||
|
+ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
|
||
|
|
||
|
if (dma.control & FW_CFG_DMA_CTL_READ) {
|
||
|
read = 1;
|
||
|
--
|
||
|
2.7.4
|
||
|
|