diff options
author | Li Zhijian <lizhijian@cn.fujitsu.com> | 2019-01-17 20:49:01 +0800 |
---|---|---|
committer | Paolo Bonzini <pbonzini@redhat.com> | 2019-02-05 16:50:18 +0100 |
commit | 0c249ff71c094c0e009e2ccaef5237af3610b0fb (patch) | |
tree | 855e1f40abe9e930f66749b83ab3a2831992c546 /exec.c | |
parent | b86d01ba47cfe3fc7505924ca2804f370383ad97 (diff) | |
download | qemu-0c249ff71c094c0e009e2ccaef5237af3610b0fb.zip qemu-0c249ff71c094c0e009e2ccaef5237af3610b0fb.tar.gz qemu-0c249ff71c094c0e009e2ccaef5237af3610b0fb.tar.bz2 |
unify len and addr type for memory/address APIs
Some address/memory APIs have different type between
'hwaddr/target_ulong addr' and 'int len'. It is very unsafe, especially
some APIs will be passed a non-int len by caller which might cause
overflow quietly.
Below is an potential overflow case:
dma_memory_read(uint32_t len)
-> dma_memory_rw(uint32_t len)
-> dma_memory_rw_relaxed(uint32_t len)
-> address_space_rw(int len) # len overflow
CC: Paolo Bonzini <pbonzini@redhat.com>
CC: Peter Crosthwaite <crosthwaite.peter@gmail.com>
CC: Richard Henderson <rth@twiddle.net>
CC: Peter Maydell <peter.maydell@linaro.org>
CC: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'exec.c')
-rw-r--r-- | exec.c | 47 |
1 files changed, 23 insertions, 24 deletions
@@ -2851,10 +2851,10 @@ static const MemoryRegionOps watch_mem_ops = { }; static MemTxResult flatview_read(FlatView *fv, hwaddr addr, - MemTxAttrs attrs, uint8_t *buf, int len); + MemTxAttrs attrs, uint8_t *buf, hwaddr len); static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs, - const uint8_t *buf, int len); -static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len, + const uint8_t *buf, hwaddr len); +static bool flatview_access_valid(FlatView *fv, hwaddr addr, hwaddr len, bool is_write, MemTxAttrs attrs); static MemTxResult subpage_read(void *opaque, hwaddr addr, uint64_t *data, @@ -3102,10 +3102,10 @@ MemoryRegion *get_system_io(void) /* physical memory access (slow version, mainly for debug) */ #if defined(CONFIG_USER_ONLY) int cpu_memory_rw_debug(CPUState *cpu, target_ulong addr, - uint8_t *buf, int len, int is_write) + uint8_t *buf, target_ulong len, int is_write) { - int l, flags; - target_ulong page; + int flags; + target_ulong l, page; void * p; while (len > 0) { @@ -3231,7 +3231,7 @@ static bool prepare_mmio_access(MemoryRegion *mr) static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr, MemTxAttrs attrs, const uint8_t *buf, - int len, hwaddr addr1, + hwaddr len, hwaddr addr1, hwaddr l, MemoryRegion *mr) { uint8_t *ptr; @@ -3276,7 +3276,7 @@ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr, /* Called from RCU critical section. */ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs, - const uint8_t *buf, int len) + const uint8_t *buf, hwaddr len) { hwaddr l; hwaddr addr1; @@ -3294,7 +3294,7 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs, /* Called within RCU critical section. */ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr, MemTxAttrs attrs, uint8_t *buf, - int len, hwaddr addr1, hwaddr l, + hwaddr len, hwaddr addr1, hwaddr l, MemoryRegion *mr) { uint8_t *ptr; @@ -3337,7 +3337,7 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr, /* Called from RCU critical section. */ static MemTxResult flatview_read(FlatView *fv, hwaddr addr, - MemTxAttrs attrs, uint8_t *buf, int len) + MemTxAttrs attrs, uint8_t *buf, hwaddr len) { hwaddr l; hwaddr addr1; @@ -3350,7 +3350,7 @@ static MemTxResult flatview_read(FlatView *fv, hwaddr addr, } MemTxResult address_space_read_full(AddressSpace *as, hwaddr addr, - MemTxAttrs attrs, uint8_t *buf, int len) + MemTxAttrs attrs, uint8_t *buf, hwaddr len) { MemTxResult result = MEMTX_OK; FlatView *fv; @@ -3367,7 +3367,7 @@ MemTxResult address_space_read_full(AddressSpace *as, hwaddr addr, MemTxResult address_space_write(AddressSpace *as, hwaddr addr, MemTxAttrs attrs, - const uint8_t *buf, int len) + const uint8_t *buf, hwaddr len) { MemTxResult result = MEMTX_OK; FlatView *fv; @@ -3383,7 +3383,7 @@ MemTxResult address_space_write(AddressSpace *as, hwaddr addr, } MemTxResult address_space_rw(AddressSpace *as, hwaddr addr, MemTxAttrs attrs, - uint8_t *buf, int len, bool is_write) + uint8_t *buf, hwaddr len, bool is_write) { if (is_write) { return address_space_write(as, addr, attrs, buf, len); @@ -3393,7 +3393,7 @@ MemTxResult address_space_rw(AddressSpace *as, hwaddr addr, MemTxAttrs attrs, } void cpu_physical_memory_rw(hwaddr addr, uint8_t *buf, - int len, int is_write) + hwaddr len, int is_write) { address_space_rw(&address_space_memory, addr, MEMTXATTRS_UNSPECIFIED, buf, len, is_write); @@ -3408,7 +3408,7 @@ static inline MemTxResult address_space_write_rom_internal(AddressSpace *as, hwaddr addr, MemTxAttrs attrs, const uint8_t *buf, - int len, + hwaddr len, enum write_rom_type type) { hwaddr l; @@ -3448,13 +3448,13 @@ static inline MemTxResult address_space_write_rom_internal(AddressSpace *as, /* used for ROM loading : can write in RAM and ROM */ MemTxResult address_space_write_rom(AddressSpace *as, hwaddr addr, MemTxAttrs attrs, - const uint8_t *buf, int len) + const uint8_t *buf, hwaddr len) { return address_space_write_rom_internal(as, addr, attrs, buf, len, WRITE_DATA); } -void cpu_flush_icache_range(hwaddr start, int len) +void cpu_flush_icache_range(hwaddr start, hwaddr len) { /* * This function should do the same thing as an icache flush that was @@ -3557,7 +3557,7 @@ static void cpu_notify_map_clients(void) qemu_mutex_unlock(&map_client_list_lock); } -static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len, +static bool flatview_access_valid(FlatView *fv, hwaddr addr, hwaddr len, bool is_write, MemTxAttrs attrs) { MemoryRegion *mr; @@ -3580,7 +3580,7 @@ static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len, } bool address_space_access_valid(AddressSpace *as, hwaddr addr, - int len, bool is_write, + hwaddr len, bool is_write, MemTxAttrs attrs) { FlatView *fv; @@ -3833,7 +3833,7 @@ static inline MemoryRegion *address_space_translate_cached( */ void address_space_read_cached_slow(MemoryRegionCache *cache, hwaddr addr, - void *buf, int len) + void *buf, hwaddr len) { hwaddr addr1, l; MemoryRegion *mr; @@ -3851,7 +3851,7 @@ address_space_read_cached_slow(MemoryRegionCache *cache, hwaddr addr, */ void address_space_write_cached_slow(MemoryRegionCache *cache, hwaddr addr, - const void *buf, int len) + const void *buf, hwaddr len) { hwaddr addr1, l; MemoryRegion *mr; @@ -3874,11 +3874,10 @@ address_space_write_cached_slow(MemoryRegionCache *cache, hwaddr addr, /* virtual memory access for debug (includes writing to ROM) */ int cpu_memory_rw_debug(CPUState *cpu, target_ulong addr, - uint8_t *buf, int len, int is_write) + uint8_t *buf, target_ulong len, int is_write) { - int l; hwaddr phys_addr; - target_ulong page; + target_ulong l, page; cpu_synchronize_state(cpu); while (len > 0) { |