Commit 68716da7 authored Jun 09, 2014 by Stefan Weil Committed by Mark Cave-Ayland Jun 20, 2014

apb: Fix out-of-bounds array write access



The array regs is declared with IOMMU_NREGS (3) elements and accessed
using IOMMU_CTRL (0) and IOMMU_BASE (8). In most cases, those values
are right shifted before being used as an index which results in indices
0 and 1. In one case, this right shift was missing for IOMMU_BASE which
results in an out-of-bounds write access with index 8.

The patch adds the missing shift operation also for IOMMU_CTRL where
it is needed only for cosmetic reasons.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>

parent 427e1750

hw/pci-host/apb.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -333,7 +333,7 @@ static void iommu_config_write(void *opaque, hwaddr addr,
		is->regs[IOMMU_CTRL >> 3] &= 0xffffffffULL;
		is->regs[IOMMU_CTRL >> 3] \|= val << 32;
		} else {
		is->regs[IOMMU_CTRL] = val;
		is->regs[IOMMU_CTRL >> 3] = val;
		}
		break;
		case IOMMU_CTRL + 0x4:
		@@ -345,7 +345,7 @@ static void iommu_config_write(void *opaque, hwaddr addr,
		is->regs[IOMMU_BASE >> 3] &= 0xffffffffULL;
		is->regs[IOMMU_BASE >> 3] \|= val << 32;
		} else {
		is->regs[IOMMU_BASE] = val;
		is->regs[IOMMU_BASE >> 3] = val;
		}
		break;
		case IOMMU_BASE + 0x4: