Commit cbd0d7f3 authored Jan 17, 2020 by Greg Kurz Committed by David Gibson Feb 02, 2020

spapr: Fail CAS if option vector table cannot be parsed



Most of the option vector helpers have assertions to check their
arguments aren't null. The guest can provide an arbitrary address
for the CAS structure that would result in such null arguments.
Fail CAS with H_PARAMETER and print a warning instead of aborting
QEMU.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <157925255250.397143.10855183619366882459.stgit@bahia.lan>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>

parent 6e0552a3

hw/ppc/spapr_hcall.c

+8 −0

Original line number	Diff line number	Diff line
		@@ -1703,7 +1703,15 @@ static target_ulong h_client_architecture_support(PowerPCCPU *cpu,
		ov_table = addr;

		ov1_guest = spapr_ovec_parse_vector(ov_table, 1);
		if (!ov1_guest) {
		warn_report("guest didn't provide option vector 1");
		return H_PARAMETER;
		}
		ov5_guest = spapr_ovec_parse_vector(ov_table, 5);
		if (!ov5_guest) {
		warn_report("guest didn't provide option vector 5");
		return H_PARAMETER;
		}
		if (spapr_ovec_test(ov5_guest, OV5_MMU_BOTH)) {
		error_report("guest requested hash and radix MMU, which is invalid.");
		exit(EXIT_FAILURE);