From patchwork Thu Nov 15 23:05:45 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 10685283 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1476B13B5 for ; Thu, 15 Nov 2018 23:06:50 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0532F2D4D2 for ; Thu, 15 Nov 2018 23:06:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id ECAC52D5C3; Thu, 15 Nov 2018 23:06:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 711852D4D2 for ; Thu, 15 Nov 2018 23:06:49 +0000 (UTC) Received: from localhost ([::1]:41285 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gNQil-0005D4-Rr for patchwork-qemu-devel@patchwork.kernel.org; Thu, 15 Nov 2018 18:06:47 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56246) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gNQi5-0004ve-6K for qemu-devel@nongnu.org; Thu, 15 Nov 2018 18:06:05 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gNQhy-0002RG-2r for qemu-devel@nongnu.org; Thu, 15 Nov 2018 18:06:04 -0500 Received: from mx1.redhat.com ([209.132.183.28]:59012) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gNQhx-0002Qz-UK for qemu-devel@nongnu.org; Thu, 15 Nov 2018 18:05:58 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 274873082B0E; Thu, 15 Nov 2018 23:05:57 +0000 (UTC) Received: from x1w.redhat.com (ovpn-204-39.brq.redhat.com [10.40.204.39]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 00AB360BEC; Thu, 15 Nov 2018 23:05:49 +0000 (UTC) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: Corey Minyard , Paolo Bonzini Date: Fri, 16 Nov 2018 00:05:45 +0100 Message-Id: <20181115230546.27375-1-philmd@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.45]); Thu, 15 Nov 2018 23:05:57 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH] hw/i2c/smbus_eeprom: Create at most SMBUS_EEPROM_MAX EEPROMs on a SMBus X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , qemu-devel@nongnu.org Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP Calling smbus_eeprom_init() with more than 8 EEPROMs would lead to a heap overflow. Replace the '8' magic number by a definition, and check no more than this number are created. Signed-off-by: Philippe Mathieu-Daudé --- Based-on: 20181115192446.17187-1-minyard@acm.org "RFC v2: Fix/add vmstate handling in some I2C code" --- hw/i2c/smbus_eeprom.c | 13 +++++++++++-- include/hw/i2c/smbus_eeprom.h | 4 +++- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/hw/i2c/smbus_eeprom.c b/hw/i2c/smbus_eeprom.c index d0a8d63869..de3a492df4 100644 --- a/hw/i2c/smbus_eeprom.c +++ b/hw/i2c/smbus_eeprom.c @@ -23,6 +23,7 @@ */ #include "qemu/osdep.h" +#include "qemu/error-report.h" #include "hw/hw.h" #include "hw/boards.h" #include "hw/i2c/i2c.h" @@ -163,12 +164,20 @@ void smbus_eeprom_init_one(I2CBus *smbus, uint8_t address, uint8_t *eeprom_buf) qdev_init_nofail(dev); } -void smbus_eeprom_init(I2CBus *smbus, int nb_eeprom, +void smbus_eeprom_init(I2CBus *smbus, unsigned int nb_eeprom, const uint8_t *eeprom_spd, int eeprom_spd_size) { int i; + uint8_t *eeprom_buf; + + if (nb_eeprom > SMBUS_EEPROM_MAX) { + error_report("At most %u EEPROM are supported on a SMBus.", + SMBUS_EEPROM_MAX); + exit(1); + } + /* XXX: make this persistent */ - uint8_t *eeprom_buf = g_malloc0(8 * SMBUS_EEPROM_SIZE); + eeprom_buf = g_malloc0(nb_eeprom * SMBUS_EEPROM_SIZE); if (eeprom_spd_size > 0) { memcpy(eeprom_buf, eeprom_spd, eeprom_spd_size); } diff --git a/include/hw/i2c/smbus_eeprom.h b/include/hw/i2c/smbus_eeprom.h index 2f56e5dc4e..cc9d1cdba9 100644 --- a/include/hw/i2c/smbus_eeprom.h +++ b/include/hw/i2c/smbus_eeprom.h @@ -4,8 +4,10 @@ #include "hw/i2c/i2c.h" +#define SMBUS_EEPROM_MAX 8 + void smbus_eeprom_init_one(I2CBus *bus, uint8_t address, uint8_t *eeprom_buf); -void smbus_eeprom_init(I2CBus *bus, int nb_eeprom, +void smbus_eeprom_init(I2CBus *bus, unsigned int nb_eeprom, const uint8_t *eeprom_spd, int size); #endif