ia64/xen-unstable

changeset 12617:7cb4376044b5

[QEMU] pci: Unaligned config read/write overflow

The default config read/write handlers allows a 4-byte read/write at
address 255. This can clobber the field after the config area. This
happens to be the PCIBus pointer in the PCIDevice structure.

This patch stops this from reducing the read/write to the (largest
multiple of 2) number of bytes within the config area.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
author kfraser@localhost.localdomain
date Tue Nov 28 13:46:10 2006 +0000 (2006-11-28)
parents b08e7ed94991
children 99878f3f74ee
files tools/ioemu/hw/pci.c
line diff
     1.1 --- a/tools/ioemu/hw/pci.c	Tue Nov 28 13:43:25 2006 +0000
     1.2 +++ b/tools/ioemu/hw/pci.c	Tue Nov 28 13:46:10 2006 +0000
     1.3 @@ -221,17 +221,24 @@ uint32_t pci_default_read_config(PCIDevi
     1.4                                   uint32_t address, int len)
     1.5  {
     1.6      uint32_t val;
     1.7 +
     1.8      switch(len) {
     1.9 +    default:
    1.10 +    case 4:
    1.11 +	if (address <= 0xfc) {
    1.12 +	    val = le32_to_cpu(*(uint32_t *)(d->config + address));
    1.13 +	    break;
    1.14 +	}
    1.15 +	/* fall through */
    1.16 +    case 2:
    1.17 +        if (address <= 0xfe) {
    1.18 +	    val = le16_to_cpu(*(uint16_t *)(d->config + address));
    1.19 +	    break;
    1.20 +	}
    1.21 +	/* fall through */
    1.22      case 1:
    1.23          val = d->config[address];
    1.24          break;
    1.25 -    case 2:
    1.26 -        val = le16_to_cpu(*(uint16_t *)(d->config + address));
    1.27 -        break;
    1.28 -    default:
    1.29 -    case 4:
    1.30 -        val = le32_to_cpu(*(uint32_t *)(d->config + address));
    1.31 -        break;
    1.32      }
    1.33      return val;
    1.34  }
    1.35 @@ -333,7 +340,8 @@ void pci_default_write_config(PCIDevice 
    1.36  
    1.37              d->config[addr] = val;
    1.38          }
    1.39 -        addr++;
    1.40 +        if (++addr > 0xff)
    1.41 +        	break;
    1.42          val >>= 8;
    1.43      }
    1.44