hw/block/pflash_cfi: fix off-by-one error

ASAN reported: hw/block/pflash_cfi02.c:245:33: runtime error: index 82 out of bounds for type 'uint8_t [82]' Since the 'cfi_len' member is not used, remove it to keep the code safer. Cc: qemu-stable@nongnu.org Reported-by: AddressSanitizer Signed-off-by: N Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: N Kevin Wolf <kwolf@redhat.com>

hw/block/pflash_cfi: fix off-by-one error
ASAN reported: hw/block/pflash_cfi02.c:245:33: runtime error: index 82 out of bounds for type 'uint8_t [82]' Since the 'cfi_len' member is not used, remove it to keep the code safer. Cc: qemu-stable@nongnu.org Reported-by: AddressSanitizer Signed-off-by: N Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: N Kevin Wolf <kwolf@redhat.com>
07c13a71 · Philippe Mathieu-Daudé · Kevin Wolf · febc8c86 · 07c13a71 · 07c13a71
隐藏空白更改
内联并排

Showing with 8 addition and 11 deletion

hw/block/pflash_cfi01.c hw/block/pflash_cfi01.c +4 -6

hw/block/pflash_cfi02.c hw/block/pflash_cfi02.c +4 -5

未找到文件。
--- a/hw/block/pflash_cfi01.c
+++ b/hw/block/pflash_cfi01.c
@@ -90,7 +90,6 @@ struct pflash_t {
    uint16_t ident1;
    uint16_t ident2;
    uint16_t ident3;
-    uint8_t cfi_len;
    uint8_t cfi_table[0x52];
    uint64_t counter;
    unsigned int writeblock_size;
@@ -153,7 +152,7 @@ static uint32_t pflash_cfi_query(pflash_t *pfl, hwaddr offset)
    boff = offset >> (ctz32(pfl->bank_width) +
                      ctz32(pfl->max_device_width) - ctz32(pfl->device_width));
-    if (boff > pfl->cfi_len) {
+    if (boff >= sizeof(pfl->cfi_table)) {
        return 0;
    }
    /* Now we will construct the CFI response generated by a single
@@ -385,10 +384,10 @@ static uint32_t pflash_read (pflash_t *pfl, hwaddr offset,
                boff = boff >> 2;
            }
-            if (boff > pfl->cfi_len) {
+            if (boff < sizeof(pfl->cfi_table)) {
-                ret = 0;
-            } else {
                ret = pfl->cfi_table[boff];
+            } else {
+                ret = 0;
            }
        } else {
            /* If we have a read larger than the bank_width, combine multiple
@@ -791,7 +790,6 @@ static void pflash_cfi01_realize(DeviceState *dev, Error **errp)
    pfl->cmd = 0;
    pfl->status = 0;
    /* Hardcoded CFI table */
-    pfl->cfi_len = 0x52;
    /* Standard "QRY" string */
    pfl->cfi_table[0x10] = 'Q';
    pfl->cfi_table[0x11] = 'R';

--- a/hw/block/pflash_cfi02.c
+++ b/hw/block/pflash_cfi02.c
@@ -83,7 +83,6 @@ struct pflash_t {
    uint16_t ident3;
    uint16_t unlock_addr0;
    uint16_t unlock_addr1;
-    uint8_t cfi_len;
    uint8_t cfi_table[0x52];
    QEMUTimer *timer;
    /* The device replicates the flash memory across its memory space.  Emulate
@@ -235,10 +234,11 @@ static uint32_t pflash_read (pflash_t *pfl, hwaddr offset,
        break;
    case 0x98:
        /* CFI query mode */
-        if (boff > pfl->cfi_len)
+        if (boff < sizeof(pfl->cfi_table)) {
-            ret = 0;
-        else
            ret = pfl->cfi_table[boff];
+        } else {
+            ret = 0;
+        }
        break;
    }
@@ -663,7 +663,6 @@ static void pflash_cfi02_realize(DeviceState *dev, Error **errp)
    pfl->cmd = 0;
    pfl->status = 0;
    /* Hardcoded CFI table (mostly from SG29 Spansion flash) */
-    pfl->cfi_len = 0x52;
    /* Standard "QRY" string */
    pfl->cfi_table[0x10] = 'Q';
    pfl->cfi_table[0x11] = 'R';