xen-changelog

[Top] [All Lists]

[Xen-changelog] [xen-unstable] [QEMU] pci: Unaligned config read/write o

from [Xen patchbot-unstable]

[Permanent Link][Original]

To:	xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject:	[Xen-changelog] [xen-unstable] [QEMU] pci: Unaligned config read/write overflow
From:	Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date:	Tue, 28 Nov 2006 17:00:32 +0000
Delivery-date:	Tue, 28 Nov 2006 09:00:06 -0800
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxx
List-help:	<mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id:	BK change log <xen-changelog.lists.xensource.com>
List-post:	<mailto:xen-changelog@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to:	xen-devel@xxxxxxxxxxxxxxxxxxx
Sender:	xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx

# HG changeset patch
# User kfraser@xxxxxxxxxxxxxxxxxxxxx
# Node ID 7cb4376044b54e4708ffca9fe16ab4e37f8042d4
# Parent  b08e7ed949916faab481b3aa63e464941aa07b5d
[QEMU] pci: Unaligned config read/write overflow

The default config read/write handlers allows a 4-byte read/write at
address 255.  This can clobber the field after the config area.  This
happens to be the PCIBus pointer in the PCIDevice structure.

This patch stops this from reducing the read/write to the (largest
multiple of 2) number of bytes within the config area.

Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
---
 tools/ioemu/hw/pci.c |   24 ++++++++++++++++--------
 1 files changed, 16 insertions(+), 8 deletions(-)

diff -r b08e7ed94991 -r 7cb4376044b5 tools/ioemu/hw/pci.c
--- a/tools/ioemu/hw/pci.c      Tue Nov 28 13:43:25 2006 +0000
+++ b/tools/ioemu/hw/pci.c      Tue Nov 28 13:46:10 2006 +0000
@@ -221,16 +221,23 @@ uint32_t pci_default_read_config(PCIDevi
                                  uint32_t address, int len)
 {
     uint32_t val;
+
     switch(len) {
+    default:
+    case 4:
+       if (address <= 0xfc) {
+           val = le32_to_cpu(*(uint32_t *)(d->config + address));
+           break;
+       }
+       /* fall through */
+    case 2:
+        if (address <= 0xfe) {
+           val = le16_to_cpu(*(uint16_t *)(d->config + address));
+           break;
+       }
+       /* fall through */
     case 1:
         val = d->config[address];
-        break;
-    case 2:
-        val = le16_to_cpu(*(uint16_t *)(d->config + address));
-        break;
-    default:
-    case 4:
-        val = le32_to_cpu(*(uint32_t *)(d->config + address));
         break;
     }
     return val;
@@ -333,7 +340,8 @@ void pci_default_write_config(PCIDevice 
 
             d->config[addr] = val;
         }
-        addr++;
+        if (++addr > 0xff)
+               break;
         val >>= 8;
     }
 

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Xen-changelog] [xen-unstable] [QEMU] pci: Unaligned config read/write overflow, Xen patchbot-unstable <=

Previous by Date:	[Xen-changelog] [xen-unstable] [XENOPROFILE] fix shared_xenoprof_page_with_guest() and cleanup., Xen patchbot-unstable
Next by Date:	[Xen-changelog] [xen-unstable] [HVM][SVM] Allows 64bit HVM AMD-V Linux guests to boot., Xen patchbot-unstable
Previous by Thread:	[Xen-changelog] [xen-unstable] [XENOPROFILE] fix shared_xenoprof_page_with_guest() and cleanup., Xen patchbot-unstable
Next by Thread:	[Xen-changelog] [xen-unstable] [HVM][SVM] Allows 64bit HVM AMD-V Linux guests to boot., Xen patchbot-unstable
Indexes:	[Date] [Thread] [Top] [All Lists]