From patchwork Tue Jan 19 05:57:57 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chester Lin <czylin@uwaterloo.ca>
X-Patchwork-Id: 8058251
Return-Path: <xen-devel-bounces@lists.xen.org>
X-Original-To: patchwork-xen-devel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id CBC599F1CC
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Tue, 19 Jan 2016 06:00:50 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 01FC9203FB
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Tue, 19 Jan 2016 06:00:50 +0000 (UTC)
Received: from lists.xen.org (lists.xenproject.org [50.57.142.19])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 37263203F3
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Tue, 19 Jan 2016 06:00:49 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1aLPIy-0005yY-VE; Tue, 19 Jan 2016 05:58:12 +0000
Received: from mail6.bemta4.messagelabs.com ([85.158.143.247])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <czylin@uwaterloo.ca>) id 1aLPIy-0005yK-2X
	for xen-devel@lists.xen.org; Tue, 19 Jan 2016 05:58:12 +0000
Received: from [85.158.143.35] by server-1.bemta-4.messagelabs.com id
	76/83-09708-370DD965; Tue, 19 Jan 2016 05:58:11 +0000
X-Env-Sender: czylin@uwaterloo.ca
X-Msg-Ref: server-3.tower-21.messagelabs.com!1453183089!10380365!1
X-Originating-IP: [129.97.128.141]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 7.35.1; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 45322 invoked from network); 19 Jan 2016 05:58:10 -0000
Received: from mailservices.uwaterloo.ca (HELO minos.uwaterloo.ca)
	(129.97.128.141)
	by server-3.tower-21.messagelabs.com with DHE-RSA-AES256-GCM-SHA384
	encrypted SMTP; 19 Jan 2016 05:58:10 -0000
Received: from ubuntu1204-004.student.cs.uwaterloo.ca
	(ubuntu1204-004.student.cs.uwaterloo.ca [129.97.167.42])
	(authenticated bits=0)
	by minos.uwaterloo.ca (8.14.4/8.14.4) with ESMTP id u0J5vwM5022170
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO); Tue, 19 Jan 2016 00:58:06 -0500
From: Chester Lin <czylin@uwaterloo.ca>
To: xen-devel@lists.xen.org
Date: Tue, 19 Jan 2016 00:57:57 -0500
Message-Id: <1453183077-50542-1-git-send-email-czylin@uwaterloo.ca>
X-Mailer: git-send-email 1.7.9.5
In-Reply-To: <568CEBD002000078000C3D17@prv-mh.provo.novell.com>
References: <568CEBD002000078000C3D17@prv-mh.provo.novell.com>
X-UUID: 0beb1269-d28b-451a-b9d8-f3fec24c5d55
Cc: ian.campbell@citrix.com, stefano.stabellini@eu.citrix.com,
	george.dunlap@eu.citrix.com, dario.faggioli@citrix.com,
	ian.jackson@eu.citrix.com, Chester Lin <czylin@uwaterloo.ca>,
	jtotto@uwaterloo.ca, JBeulich@suse.com, hjarmstr@uwaterloo.ca
Subject: [Xen-devel] [PATCH v2 3/5] n16550: add sanity check for reg_shift
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
MIME-Version: 1.0
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Fix CID 1343302 by adding checking a check on the value of reg_shift.
This patch also rolls the multiplication by 8 into the shift.
No functional changes.

Suggested-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: Chester Lin <czylin@uwaterloo.ca>
---
 xen/drivers/char/ns16550.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/xen/drivers/char/ns16550.c b/xen/drivers/char/ns16550.c
index bc24015..55cfc45 100644
--- a/xen/drivers/char/ns16550.c
+++ b/xen/drivers/char/ns16550.c
@@ -913,7 +913,8 @@ pci_uart_config(struct ns16550 *uart, bool_t skip_amt, unsigned int bar_idx)
                          * Force length of mmio region to be at least
                          * 8 bytes times (1 << reg_shift)
                          */
-                        if ( size < (0x8 * (1 << uart_param[p].reg_shift)) )
+                        if ( uart_param[p].reg_shift > 27 ||
+                             size < (1 << (uart_param[p].reg_shift + 3)) )
                             continue;
 
                         if ( bar_idx >= uart_param[p].max_bars )