From patchwork Wed Feb 26 18:01:53 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Peter Maydell <peter.maydell@linaro.org>
X-Patchwork-Id: 25410
Return-Path: <patchwork-forward+bncBC6Z756YVMIBBD7TXCMAKGQE3BVMZEQ@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-qc0-f198.google.com (mail-qc0-f198.google.com
 [209.85.216.198])
 by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 67F56203C4
 for <linaro@patches.linaro.org>; Wed, 26 Feb 2014 18:59:27 +0000 (UTC)
Received: by mail-qc0-f198.google.com with SMTP id x3sf3048272qcv.9
 for <linaro@patches.linaro.org>; Wed, 26 Feb 2014 10:59:27 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:delivered-to:from:to:date:message-id:in-reply-to
 :references:mime-version:cc:subject:precedence:list-id
 :list-unsubscribe:list-archive:list-post:list-help:list-subscribe
 :errors-to:sender:x-original-sender
 :x-original-authentication-results:mailing-list:content-type
 :content-transfer-encoding;
 bh=ixamyCgtY/eqc1KhrcPfLKyPfMdeNrHU0BwpsWGEDWU=;
 b=Ed1dWPI5F3nB7zyANtYMHfzByb9bOlju+mcqSE7HDVABfEpc+IqdnvV5qE5tca5efq
 Y6gOUmfnqPEaRUmKqNra4cLI9288vJZWWzvz+IJSr/bn72LVoNsmQ3vRyjTa6O+E5YRn
 hVJYU7IKW45nlpe6OgwjIiIDINeDiQ6kk5KZ7foMzuGbj9AKWm+E0R8nPyll0UZ+IGkn
 Q23adiII8NRaNXSpCNKOjRyIGkoCZEOxK6+YRnJJf9+LagK2hgYnT1AAxBps6Zwl72V+
 xbkfxczkr+FfQ1UF9Ia9ViuJUUjThR2qBKDEnAKPVd6JYJ2xOd3Pg4SHkBLef2J/V/4i
 +70Q==
X-Gm-Message-State: ALoCoQlIlTC2ySzUhD520wiL4lwf1J0D97FgxOy3rk+1/MoBEPABxP/mw0VlV/RvkAFX4L9s9wrU
X-Received: by 10.236.209.134 with SMTP id s6mr2556056yho.40.1393441167193; 
 Wed, 26 Feb 2014 10:59:27 -0800 (PST)
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.140.109.137 with SMTP id l9ls343443qgf.40.gmail; Wed, 26 Feb
 2014 10:59:27 -0800 (PST)
X-Received: by 10.221.34.211 with SMTP id st19mr7046541vcb.5.1393441167027; 
 Wed, 26 Feb 2014 10:59:27 -0800 (PST)
Received: from mail-ve0-f170.google.com (mail-ve0-f170.google.com
 [209.85.128.170])
 by mx.google.com with ESMTPS id eb8si469477vdb.60.2014.02.26.10.59.27
 for <patchwork-forward@linaro.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Wed, 26 Feb 2014 10:59:27 -0800 (PST)
Received-SPF: neutral (google.com: 209.85.128.170 is neither permitted nor
 denied by best guess record for domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org)
 client-ip=209.85.128.170; 
Received: by mail-ve0-f170.google.com with SMTP id pa12so1081929veb.29
 for <patchwork-forward@linaro.org>;
 Wed, 26 Feb 2014 10:59:26 -0800 (PST)
X-Received: by 10.52.95.233 with SMTP id dn9mr5888838vdb.3.1393441166935;
 Wed, 26 Feb 2014 10:59:26 -0800 (PST)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patch@linaro.org
Received: by 10.220.174.196 with SMTP id u4csp47713vcz;
 Wed, 26 Feb 2014 10:59:26 -0800 (PST)
X-Received: by 10.140.22.39 with SMTP id 36mr1366432qgm.59.1393441166519;
 Wed, 26 Feb 2014 10:59:26 -0800 (PST)
Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11])
 by mx.google.com with ESMTPS id
 a3si1082236qao.127.2014.02.26.10.59.26 for <patch@linaro.org>
 (version=TLSv1 cipher=RC4-SHA bits=128/128);
 Wed, 26 Feb 2014 10:59:26 -0800 (PST)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates
 2001:4830:134:3::11 as permitted sender)
 client-ip=2001:4830:134:3::11; 
Received: from localhost ([::1]:42292 helo=lists.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <qemu-devel-bounces+patch=linaro.org@nongnu.org>)
 id 1WIj1x-00011n-3F
 for patch@linaro.org; Wed, 26 Feb 2014 13:16:29 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:34351)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <pm215@archaic.org.uk>) id 1WIiot-00016d-Cp
 for qemu-devel@nongnu.org; Wed, 26 Feb 2014 13:03:00 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <pm215@archaic.org.uk>) id 1WIios-0007Sw-8w
 for qemu-devel@nongnu.org; Wed, 26 Feb 2014 13:02:59 -0500
Received: from mnementh.archaic.org.uk ([2001:8b0:1d0::1]:46191)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <pm215@archaic.org.uk>) id 1WIios-0007Eu-3D
 for qemu-devel@nongnu.org; Wed, 26 Feb 2014 13:02:58 -0500
Received: from pm215 by mnementh.archaic.org.uk with local (Exim 4.80)
 (envelope-from <pm215@archaic.org.uk>)
 id 1WIioV-000694-Fd; Wed, 26 Feb 2014 18:02:35 +0000
From: Peter Maydell <peter.maydell@linaro.org>
To: Anthony Liguori <aliguori@amazon.com>
Date: Wed, 26 Feb 2014 18:01:53 +0000
Message-Id: <1393437755-23586-4-git-send-email-peter.maydell@linaro.org>
X-Mailer: git-send-email 1.7.10.4
In-Reply-To: <1393437755-23586-1-git-send-email-peter.maydell@linaro.org>
References: <1393437755-23586-1-git-send-email-peter.maydell@linaro.org>
MIME-Version: 1.0
X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address
 (bad octet value).
X-Received-From: 2001:8b0:1d0::1
Cc: Blue Swirl <blauwirbel@gmail.com>, qemu-devel@nongnu.org,
 Aurelien Jarno <aurelien@aurel32.net>
Subject: [Qemu-devel] [PULL 03/45] hw/timer/arm_timer: Avoid array overrun
 for bad addresses
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: <patchwork-forward.linaro.org>
List-Unsubscribe: <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>, 
 <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: peter.maydell@linaro.org
X-Original-Authentication-Results: mx.google.com;       spf=neutral
 (google.com: 209.85.128.170 is neither permitted nor denied by best
 guess record for domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org)
 smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
X-Google-Group-Id: 836684582541

The integrator's timer read/write functions log an error for
bad addresses in guest accesses, but were falling through and
using an out of bounds array index rather than returning early.
Fix this.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Message-id: 1392647854-8067-4-git-send-email-peter.maydell@linaro.org
Cc: qemu-stable@nongnu.org
---
 hw/timer/arm_timer.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/timer/arm_timer.c b/hw/timer/arm_timer.c
index a47afde..fb0a45c 100644
--- a/hw/timer/arm_timer.c
+++ b/hw/timer/arm_timer.c
@@ -320,6 +320,7 @@ static uint64_t icp_pit_read(void *opaque, hwaddr offset,
     n = offset >> 8;
     if (n > 2) {
         qemu_log_mask(LOG_GUEST_ERROR, "%s: Bad timer %d\n", __func__, n);
+        return 0;
     }
 
     return arm_timer_read(s->timer[n], offset & 0xff);
@@ -334,6 +335,7 @@ static void icp_pit_write(void *opaque, hwaddr offset,
     n = offset >> 8;
     if (n > 2) {
         qemu_log_mask(LOG_GUEST_ERROR, "%s: Bad timer %d\n", __func__, n);
+        return;
     }
 
     arm_timer_write(s->timer[n], offset & 0xff, value);