[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 5/7] lsi53c895a: avoid out of bounds access to s->msg[]
From: |
Paolo Bonzini |
Subject: |
[PULL 5/7] lsi53c895a: avoid out of bounds access to s->msg[] |
Date: |
Tue, 2 Apr 2024 15:16:47 +0200 |
If no bytes are there to process in the message in phase,
the input data latch (s->sidl) is set to s->msg[-1]. Just
do nothing since no DMA is performed.
Reported-by: Chuhong Yuan <hslester96@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/scsi/lsi53c895a.c | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index 71f759a59dd..eb9828dd5ef 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -927,13 +927,18 @@ static void lsi_do_msgin(LSIState *s)
assert(len > 0 && len <= LSI_MAX_MSGIN_LEN);
if (len > s->dbc)
len = s->dbc;
- pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len);
- /* Linux drivers rely on the last byte being in the SIDL. */
- s->sidl = s->msg[len - 1];
- s->msg_len -= len;
- if (s->msg_len) {
- memmove(s->msg, s->msg + len, s->msg_len);
- } else {
+
+ if (len) {
+ pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len);
+ /* Linux drivers rely on the last byte being in the SIDL. */
+ s->sidl = s->msg[len - 1];
+ s->msg_len -= len;
+ if (s->msg_len) {
+ memmove(s->msg, s->msg + len, s->msg_len);
+ }
+ }
+
+ if (!s->msg_len) {
/* ??? Check if ATN (not yet implemented) is asserted and maybe
switch to PHASE_MO. */
switch (s->msg_action) {
--
2.44.0
- [PULL 0/7] lsi, vga fixes for 2024-04-02, Paolo Bonzini, 2024/04/02
- [PULL 4/7] vga: do not treat horiz pel panning value of 8 as "enabled", Paolo Bonzini, 2024/04/02
- [PULL 5/7] lsi53c895a: avoid out of bounds access to s->msg[],
Paolo Bonzini <=
- [PULL 1/7] vga: merge conditionals on shift control register, Paolo Bonzini, 2024/04/02
- [PULL 7/7] pc_q35: remove unnecessary m->alias assignment, Paolo Bonzini, 2024/04/02
- [PULL 6/7] lsi53c895a: detect invalid Block Move instruction, Paolo Bonzini, 2024/04/02
- [PULL 3/7] vga: adjust dirty memory region if pel panning is active, Paolo Bonzini, 2024/04/02
- [PULL 2/7] vga: move computation of dirty memory region later, Paolo Bonzini, 2024/04/02
- Re: [PULL 0/7] lsi, vga fixes for 2024-04-02, Peter Maydell, 2024/04/02