hw/block/onenand: Fix off-by-one error allowing out-of-bounds read

An off-by-one error in a switch case in onenand_read() allowed a misbehaving guest to read off the end of a block of memory. NB: the onenand device is used only by the "n800" and "n810" machines, which are usable only with TCG, not KVM, so this is not a security issue. Reported-by: N Thomas Huth <thuth@redhat.com> Reviewed-by: N Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: N Richard Henderson <richard.henderson@linaro.org> Signed-off-by: N Peter Maydell <peter.maydell@linaro.org> Message-id: 20181115143535.5885-2-peter.maydell@linaro.org Suggested-by: N Richard Henderson <richard.henderson@linaro.org> Signed-off-by: N Peter Maydell <peter.maydell@linaro.org>

hw/block/onenand: Fix off-by-one error allowing out-of-bounds read
An off-by-one error in a switch case in onenand_read() allowed a misbehaving guest to read off the end of a block of memory. NB: the onenand device is used only by the "n800" and "n810" machines, which are usable only with TCG, not KVM, so this is not a security issue. Reported-by: N Thomas Huth <thuth@redhat.com> Reviewed-by: N Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: N Richard Henderson <richard.henderson@linaro.org> Signed-off-by: N Peter Maydell <peter.maydell@linaro.org> Message-id: 20181115143535.5885-2-peter.maydell@linaro.org Suggested-by: N Richard Henderson <richard.henderson@linaro.org> Signed-off-by: N Peter Maydell <peter.maydell@linaro.org>
fcf5787c · Peter Maydell · 7760da72 · fcf5787c
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

hw/block/onenand.c hw/block/onenand.c +1 -1

未找到文件。
--- a/hw/block/onenand.c
+++ b/hw/block/onenand.c
@@ -608,7 +608,7 @@ static uint64_t onenand_read(void *opaque, hwaddr addr,
    int offset = addr >> s->shift;

    switch (offset) {
-    case 0x0000 ... 0xc000:
+    case 0x0000 ... 0xbffe:
        return lduw_le_p(s->boot[0] + addr);

    case 0xf000:	/* Manufacturer ID */