falso
/
qemu-irix
mirror of https://github.com/n64decomp/qemu-irix.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
qemu-irix/hw
History
Paolo Bonzini c8cccba312 xilinx: fix buffer overflow on realize 
ASAN complains about buffer overflow when running:
aarch64-softmmu/qemu-system-aarch64 -machine xilinx-zynq-a9

==476==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000035e38 at pc 0x000000f75253 bp 0x7ffc597e0ec0 sp 0x7ffc597e0eb0
READ of size 8 at 0x602000035e38 thread T0
    #0 0xf75252 in xilinx_spips_realize hw/ssi/xilinx_spips.c:623
    #1 0xb9ef6c in device_set_realized hw/core/qdev.c:918
    #2 0x129ae01 in property_set_bool qom/object.c:1854
    #3 0x1296e70 in object_property_set qom/object.c:1088
    #4 0x129dd1b in object_property_set_qobject qom/qom-qobject.c:27
    #5 0x1297168 in object_property_set_bool qom/object.c:1157
    #6 0xb9aeac in qdev_init_nofail hw/core/qdev.c:358
    #7 0x78a5bf in zynq_init_spi_flashes /home/elmarco/src/qemu/hw/arm/xilinx_zynq.c:125
    #8 0x78af60 in zynq_init /home/elmarco/src/qemu/hw/arm/xilinx_zynq.c:238
    #9 0x998eac in main /home/elmarco/src/qemu/vl.c:4534
    #10 0x7f96ed692730 in __libc_start_main (/lib64/libc.so.6+0x20730)
    #11 0x41d0a8 in _start (/home/elmarco/src/qemu/aarch64-softmmu/qemu-system-aarch64+0x41d0a8)

0x602000035e38 is located 0 bytes to the right of 8-byte region [0x602000035e30,0x602000035e38)
allocated by thread T0 here:
    #0 0x7f970b014e60 in malloc (/lib64/libasan.so.3+0xc6e60)
    #1 0x7f96f15b0e18 in g_malloc (/lib64/libglib-2.0.so.0+0x4ee18)
    #2 0xb9ef6c in device_set_realized hw/core/qdev.c:918
    #3 0x129ae01 in property_set_bool qom/object.c:1854
    #4 0x1296e70 in object_property_set qom/object.c:1088
    #5 0x129dd1b in object_property_set_qobject qom/qom-qobject.c:27
    #6 0x1297168 in object_property_set_bool qom/object.c:1157
    #7 0xb9aeac in qdev_init_nofail hw/core/qdev.c:358
    #8 0x78a5bf in zynq_init_spi_flashes /home/elmarco/src/qemu/hw/arm/xilinx_zynq.c:125
    #9 0x78af60 in zynq_init /home/elmarco/src/qemu/hw/arm/xilinx_zynq.c:238
    #10 0x998eac in main /home/elmarco/src/qemu/vl.c:4534
    #11 0x7f96ed692730 in __libc_start_main (/lib64/libc.so.6+0x20730)

s->spi is allocated with the size of num_busses which may be 1 (by
default).  Change to use a loop up to s->num_busses also for the
call to ssi_auto_connect_slaves().

Reported-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 		2016-10-24 15:27:20 +02:00
..
9pfs 9pfs: fix memory leak in v9fs_write 2016-10-17 14:13:58 +02:00
acpi acpi: provide _PXM method for CPU devices if QEMU is started numa enabled 2016-10-10 01:16:57 +03:00
adc
alpha sun4uv: fix serial initialization regression 2016-10-24 15:27:20 +02:00
arm char: remove init callback 2016-10-24 15:27:20 +02:00
audio
block virtio, pc: fixes and features 2016-10-10 16:23:40 +01:00
bt
char char: remove init callback 2016-10-24 15:27:20 +02:00
core machine: Register TYPE_MACHINE properties as class properties 2016-10-17 15:48:40 -02:00
cpu
cris
display virtio, pc: fixes and features 2016-10-10 16:23:40 +01:00
dma hw/dma/pl080: Fix bad bit mask (PL080_CONF_M1 | PL080_CONF_M1) 2016-10-17 19:22:17 +01:00
gpio
i2c
i386 sun4uv: fix serial initialization regression 2016-10-24 15:27:20 +02:00
ide
input virtio: cleanup VMSTATE_VIRTIO_DEVICE 2016-10-10 02:21:43 +03:00
intc x86 queue, 2016-10-17 2016-10-18 09:29:44 +01:00
ipack
ipmi
isa char: remove init callback 2016-10-24 15:27:20 +02:00
lm32
m68k
mem
microblaze
mips char: remove init callback 2016-10-24 15:27:20 +02:00
misc
moxie
net virtio: cleanup VMSTATE_VIRTIO_DEVICE 2016-10-10 02:21:43 +03:00
nvram
openrisc
pci
pci-bridge
pci-host
pcmcia
ppc spapr: Improved placement of PCI host bridges in guest memory map 2016-10-16 12:04:15 +11:00
s390x
scsi virtio: cleanup VMSTATE_VIRTIO_DEVICE 2016-10-10 02:21:43 +03:00
sd
sh4
smbios
sparc
sparc64 sun4uv: fix serial initialization regression 2016-10-24 15:27:20 +02:00
ssi xilinx: fix buffer overflow on realize 2016-10-24 15:27:20 +02:00
timer * Thread Sanitizer fixes (Alex) 2016-10-10 10:39:29 +01:00
tpm
tricore
unicore32
usb char: remove init callback 2016-10-24 15:27:20 +02:00
vfio vfio: fix duplicate function call 2016-10-17 10:58:03 -06:00
virtio virtio, pc: fixes and features 2016-10-10 16:23:40 +01:00
watchdog
xen
xenpv
xtensa char: remove init callback 2016-10-24 15:27:20 +02:00
Makefile.objs