* [PATCH] hw/nvram: Make (len + offset) check more strict
@ 2024-04-16 8:26 Artem Chernyshev
0 siblings, 0 replies; only message in thread
From: Artem Chernyshev @ 2024-04-16 8:26 UTC (permalink / raw
To: Nicholas Piggin
Cc: Artem Chernyshev, Daniel Henrique Barboza, David Gibson,
Harsh Prateek Bora, qemu-ppc, qemu-devel, Oleg Sviridov
In rtas_nvram_fetch() and rtas_nvram_store() if len is equal
to zero, result of a cpu_physical_memory_map() will be NULL.
It will lead to NULL dereference, since return value using
without check. It could be avoided by making IF condition
more strict.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Oleg Sviridov <oleg.sviridov@red-soft.ru>
Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
---
hw/nvram/spapr_nvram.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/nvram/spapr_nvram.c b/hw/nvram/spapr_nvram.c
index bfd8aa367e..bf0a7d05df 100644
--- a/hw/nvram/spapr_nvram.c
+++ b/hw/nvram/spapr_nvram.c
@@ -79,7 +79,7 @@ static void rtas_nvram_fetch(PowerPCCPU *cpu, SpaprMachineState *spapr,
buffer = rtas_ld(args, 1);
len = rtas_ld(args, 2);
- if (((offset + len) < offset)
+ if (((offset + len) <= offset)
|| ((offset + len) > nvram->size)) {
rtas_st(rets, 0, RTAS_OUT_PARAM_ERROR);
rtas_st(rets, 1, 0);
@@ -120,7 +120,7 @@ static void rtas_nvram_store(PowerPCCPU *cpu, SpaprMachineState *spapr,
buffer = rtas_ld(args, 1);
len = rtas_ld(args, 2);
- if (((offset + len) < offset)
+ if (((offset + len) <= offset)
|| ((offset + len) > nvram->size)) {
rtas_st(rets, 0, RTAS_OUT_PARAM_ERROR);
return;
--
2.37.3
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2024-04-16 8:27 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-04-16 8:26 [PATCH] hw/nvram: Make (len + offset) check more strict Artem Chernyshev
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.