diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2024-05-31 13:46:28 +0100 |
|---|---|---|
| committer | Philippe Mathieu-Daudé <philmd@linaro.org> | 2024-06-04 11:53:43 +0200 |
| commit | a7d8244be9f9a0fde9f694a46bdd04aabbbb5b4a (patch) | |
| tree | a0d13eb6a11ff80dabbefd4eeee722ef430ec7a6 /hw | |
| parent | af1cf62401f01b1ecce1e2cd94fbd8410064418a (diff) | |
| download | qemu-a7d8244be9f9a0fde9f694a46bdd04aabbbb5b4a.zip qemu-a7d8244be9f9a0fde9f694a46bdd04aabbbb5b4a.tar.gz qemu-a7d8244be9f9a0fde9f694a46bdd04aabbbb5b4a.tar.bz2 | |
hw/dma/xlnx_dpdma: Read descriptor into buffer, not into pointer-to-buffer
In fdf029762f501 we factored out the handling of reading and writing
DMA descriptors from guest memory. Unfortunately we accidentally
made the descriptor-read read the descriptor into the address of the
buffer rather than into the buffer, because we didn't notice we
needed to update the arguments to the dma_memory_read() call. Before
the refactoring, "&desc" is the address of a local struct DPDMADescriptor
variable in xlnx_dpdma_start_operation(), which is the correct target
for the guest-memory-read. But after the refactoring 'desc' is the
"DPDMADescriptor *desc" argument to the new function, and so it is
already an address.
This bug is an overrun of a stack variable, since a pointer is at
most 8 bytes long and we try to read 64 bytes, as well as being
incorrect behaviour.
Pass 'desc' rather than '&desc' as the dma_memory_read() argument
to fix this.
(The same bug is not present in xlnx_dpdma_write_descriptor(),
because there we are writing the descriptor from a local struct
variable "DPDMADescriptor tmp_desc" and so passing &tmp_desc to
dma_memory_write() is correct.)
Spotted by Coverity: CID 1546649
Fixes: fdf029762f50101 ("xlnx_dpdma: fix descriptor endianness bug")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@amd.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20240531124628.476938-1-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Diffstat (limited to 'hw')
| -rw-r--r-- | hw/dma/xlnx_dpdma.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/dma/xlnx_dpdma.c b/hw/dma/xlnx_dpdma.c index dde4aec..a685bd2 100644 --- a/hw/dma/xlnx_dpdma.c +++ b/hw/dma/xlnx_dpdma.c @@ -619,7 +619,7 @@ static MemTxResult xlnx_dpdma_read_descriptor(XlnxDPDMAState *s, DPDMADescriptor *desc) { MemTxResult res = dma_memory_read(&address_space_memory, desc_addr, - &desc, sizeof(DPDMADescriptor), + desc, sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED); if (res) { return res; |