[1/3] arm: check bit index before use

Commit Message

Prasad Pandit Oct. 22, 2018, 12:09 p.m. UTC

From: Prasad J Pandit <pjp@fedoraproject.org>

While performing gpio write via strongarm_gpio_handler_update
routine, the 'bit' index could access beyond s->handler[28] array.
Add check to avoid OOB access.

Reported-by: Moguofang <moguofang@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/arm/strongarm.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

liqsub1 Oct. 22, 2018, 12:15 p.m. UTC | #1

2018-10-22 

liqsub1 



发件人：P J P <ppandit@redhat.com>
发送时间：2018-10-23 01:39
主题：[Qemu-devel] [PATCH 1/3] arm: check bit index before use
收件人："Qemu Developers"<qemu-devel@nongnu.org>
抄送："Peter Maydell"<peter.maydell@linaro.org>,"Moguofang"<moguofang@huawei.com>,"Prasad J Pandit"<pjp@fedoraproject.org>

From: Prasad J Pandit <pjp@fedoraproject.org> 

While performing gpio write via strongarm_gpio_handler_update 
routine, the 'bit' index could access beyond s->handler[28] array. 
Add check to avoid OOB access. 

Reported-by: Moguofang <moguofang@huawei.com> 
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> 
--- 
 hw/arm/strongarm.c | 4 +++- 
 1 file changed, 3 insertions(+), 1 deletion(-) 

diff --git a/hw/arm/strongarm.c b/hw/arm/strongarm.c 
index ec2627374d..3dda75feaf 100644 
--- a/hw/arm/strongarm.c 
+++ b/hw/arm/strongarm.c 
@@ -532,7 +532,9 @@ static void strongarm_gpio_handler_update(StrongARMGPIOInfo *s) 
  
     for (diff = s->prev_level ^ level; diff; diff ^= 1 << bit) { 
         bit = ctz32(diff); 
-        qemu_set_irq(s->handler[bit], (level >> bit) & 1); 
+        if (bit < sizeof(s->handler) / sizeof(s->handler[0])) { 

Hello Prasad,
Maybe you can use ARRAY_SIZE here.

Thanks,
Li Qiang

+            qemu_set_irq(s->handler[bit], (level >> bit) & 1); 
+        } 
     } 



  
     s->prev_level = level; 
--  
2.17.2

Prasad Pandit Oct. 22, 2018, 6:14 p.m. UTC | #2

+-- On Mon, 22 Oct 2018, liqsub1 wrote --+
| +        if (bit < sizeof(s->handler) / sizeof(s->handler[0])) { 
| 
| Maybe you can use ARRAY_SIZE here.

Yes, sent patch v1.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Paolo Bonzini Oct. 26, 2018, 9:33 a.m. UTC | #3

On 22/10/2018 14:09, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
> 
> While performing gpio write via strongarm_gpio_handler_update
> routine, the 'bit' index could access beyond s->handler[28] array.
> Add check to avoid OOB access.
> 
> Reported-by: Moguofang <moguofang@huawei.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
>  hw/arm/strongarm.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/hw/arm/strongarm.c b/hw/arm/strongarm.c
> index ec2627374d..3dda75feaf 100644
> --- a/hw/arm/strongarm.c
> +++ b/hw/arm/strongarm.c
> @@ -532,7 +532,9 @@ static void strongarm_gpio_handler_update(StrongARMGPIOInfo *s)
>  
>      for (diff = s->prev_level ^ level; diff; diff ^= 1 << bit) {
>          bit = ctz32(diff);
> -        qemu_set_irq(s->handler[bit], (level >> bit) & 1);
> +        if (bit < sizeof(s->handler) / sizeof(s->handler[0])) {
> +            qemu_set_irq(s->handler[bit], (level >> bit) & 1);
> +        }
>      }
>  
>      s->prev_level = level;
> 

This is correct, but please use ARRAY_SIZE(s->handler).

Paolo

Patch

diff --git a/hw/arm/strongarm.c b/hw/arm/strongarm.c
index ec2627374d..3dda75feaf 100644
--- a/hw/arm/strongarm.c
+++ b/hw/arm/strongarm.c
@@ -532,7 +532,9 @@  static void strongarm_gpio_handler_update(StrongARMGPIOInfo *s)
 
     for (diff = s->prev_level ^ level; diff; diff ^= 1 << bit) {
         bit = ctz32(diff);
-        qemu_set_irq(s->handler[bit], (level >> bit) & 1);
+        if (bit < sizeof(s->handler) / sizeof(s->handler[0])) {
+            qemu_set_irq(s->handler[bit], (level >> bit) & 1);
+        }
     }
 
     s->prev_level = level;