From 5b4dd0f55ed3027557ed9a6fd89d5aa379122feb Mon Sep 17 00:00:00 2001 From: Konrad Rzeszutek Wilk Date: Mon, 29 Jun 2015 16:41:14 -0400 Subject: xen/pt: Check if reg->init function sets the 'data' past the reg->size It should never happen, but in case it does (an developer adds a new register and the 'init_val' expands past the register size) we want to report. The code will only write up to reg->size so there is no runtime danger of the register spilling across other ones - however to catch this sort of thing we still return an error. Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Stefano Stabellini --- hw/xen/xen_pt_config_init.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'hw/xen') diff --git a/hw/xen/xen_pt_config_init.c b/hw/xen/xen_pt_config_init.c index b1ad743..b58bf39 100644 --- a/hw/xen/xen_pt_config_init.c +++ b/hw/xen/xen_pt_config_init.c @@ -1949,9 +1949,15 @@ static int xen_pt_config_reg_init(XenPCIPassthroughState *s, } else val = data; + if (val & ~size_mask) { + XEN_PT_ERR(&s->dev,"Offset 0x%04x:0x%04x expands past register size(%d)!\n", + offset, val, reg->size); + g_free(reg_entry); + return -ENXIO; + } /* This could be just pci_set_long as we don't modify the bits - * past reg->size, but in case this routine is run in parallel - * we do not want to over-write other registers. */ + * past reg->size, but in case this routine is run in parallel or the + * init value is larger, we do not want to over-write registers. */ switch (reg->size) { case 1: pci_set_byte(s->dev.config + offset, (uint8_t)val); break; -- cgit v1.1