diff options
author | Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> | 2015-06-29 16:41:14 -0400 |
---|---|---|
committer | Stefano Stabellini <stefano.stabellini@eu.citrix.com> | 2015-09-10 16:47:09 +0000 |
commit | 5b4dd0f55ed3027557ed9a6fd89d5aa379122feb (patch) | |
tree | b8dc999483223e499693a5c732f878534db49916 /hw | |
parent | 2e87512eccf3c5e40f3142ff5a763f4f850839f4 (diff) | |
download | qemu-5b4dd0f55ed3027557ed9a6fd89d5aa379122feb.zip |
xen/pt: Check if reg->init function sets the 'data' past the reg->size
It should never happen, but in case it does (an developer adds
a new register and the 'init_val' expands past the register
size) we want to report. The code will only write up to
reg->size so there is no runtime danger of the register spilling
across other ones - however to catch this sort of thing
we still return an error.
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Diffstat (limited to 'hw')
-rw-r--r-- | hw/xen/xen_pt_config_init.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/hw/xen/xen_pt_config_init.c b/hw/xen/xen_pt_config_init.c index b1ad743754..b58bf3983c 100644 --- a/hw/xen/xen_pt_config_init.c +++ b/hw/xen/xen_pt_config_init.c @@ -1949,9 +1949,15 @@ static int xen_pt_config_reg_init(XenPCIPassthroughState *s, } else val = data; + if (val & ~size_mask) { + XEN_PT_ERR(&s->dev,"Offset 0x%04x:0x%04x expands past register size(%d)!\n", + offset, val, reg->size); + g_free(reg_entry); + return -ENXIO; + } /* This could be just pci_set_long as we don't modify the bits - * past reg->size, but in case this routine is run in parallel - * we do not want to over-write other registers. */ + * past reg->size, but in case this routine is run in parallel or the + * init value is larger, we do not want to over-write registers. */ switch (reg->size) { case 1: pci_set_byte(s->dev.config + offset, (uint8_t)val); break; |