From: Samuel Mendoza-Jonas Date: Mon, 17 Nov 2014 04:12:29 +0000 (+1100) Subject: spapr: Fix integer overflow during migration (TCG) X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=338c25b6929b5436a42aaa106c7e9136cf1ff4dc;p=people%2Fliuw%2Fqemu.git spapr: Fix integer overflow during migration (TCG) The n_valid and n_invalid fields are unsigned short integers but it is possible to have more than 65535 entries in a contiguous hunk, overflowing the field. This results in an incorrect HTAB being sent to the destination during migration. Signed-off-by: Samuel Mendoza-Jonas Reviewed-by: Alexey Kardashevskiy Signed-off-by: Alexander Graf --- diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c index 869b72125a..765a44c133 100644 --- a/hw/ppc/spapr.c +++ b/hw/ppc/spapr.c @@ -1065,7 +1065,7 @@ static void htab_save_first_pass(QEMUFile *f, sPAPREnvironment *spapr, /* Consume valid HPTEs */ chunkstart = index; - while ((index < htabslots) + while ((index < htabslots) && (index - chunkstart < USHRT_MAX) && HPTE_VALID(HPTE(spapr->htab, index))) { index++; CLEAN_HPTE(HPTE(spapr->htab, index)); @@ -1117,7 +1117,7 @@ static int htab_save_later_pass(QEMUFile *f, sPAPREnvironment *spapr, chunkstart = index; /* Consume valid dirty HPTEs */ - while ((index < htabslots) + while ((index < htabslots) && (index - chunkstart < USHRT_MAX) && HPTE_DIRTY(HPTE(spapr->htab, index)) && HPTE_VALID(HPTE(spapr->htab, index))) { CLEAN_HPTE(HPTE(spapr->htab, index)); @@ -1127,7 +1127,7 @@ static int htab_save_later_pass(QEMUFile *f, sPAPREnvironment *spapr, invalidstart = index; /* Consume invalid dirty HPTEs */ - while ((index < htabslots) + while ((index < htabslots) && (index - invalidstart < USHRT_MAX) && HPTE_DIRTY(HPTE(spapr->htab, index)) && !HPTE_VALID(HPTE(spapr->htab, index))) { CLEAN_HPTE(HPTE(spapr->htab, index));