| |
|
 |
|
 |
|
|
|
| |
|
|
xen-devel
[Xen-devel] qemu/pci: Unaligned config read/write overflow
Hi:
[QEMU] pci: Unaligned config read/write overflow
The default config read/write handlers allows a 4-byte read/write at
address 255. This can clobber the field after the config area. This
happens to be the PCIBus pointer in the PCIDevice structure.
This patch stops this from reducing the read/write to the (largest
multiple of 2) number of bytes within the config area.
Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
diff -r 84c0f49de1b1 tools/ioemu/hw/pci.c
--- a/tools/ioemu/hw/pci.c Mon Nov 27 10:06:41 2006 +0000
+++ b/tools/ioemu/hw/pci.c Tue Nov 28 14:57:22 2006 +1100
@@ -221,16 +221,23 @@ uint32_t pci_default_read_config(PCIDevi
uint32_t address, int len)
{
uint32_t val;
+
switch(len) {
+ default:
+ case 4:
+ if (address <= 0xfc) {
+ val = le32_to_cpu(*(uint32_t *)(d->config + address));
+ break;
+ }
+ /* fall through */
+ case 2:
+ if (address <= 0xfe) {
+ val = le16_to_cpu(*(uint16_t *)(d->config + address));
+ break;
+ }
+ /* fall through */
case 1:
val = d->config[address];
- break;
- case 2:
- val = le16_to_cpu(*(uint16_t *)(d->config + address));
- break;
- default:
- case 4:
- val = le32_to_cpu(*(uint32_t *)(d->config + address));
break;
}
return val;
@@ -333,7 +340,8 @@ void pci_default_write_config(PCIDevice
d->config[addr] = val;
}
- addr++;
+ if (++addr > 0xff)
+ break;
val >>= 8;
}
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- [Xen-devel] qemu/pci: Unaligned config read/write overflow,
Herbert Xu <=
|
|
|
| |
|
Home
xen.org, 