From: Markus Armbruster <armbru@redhat.com>
Date: Tue, 22 Nov 2011 08:46:04 +0000 (+0100)
Subject: x86/cpuid: Tighten parsing of tsc_freq=FREQ
X-Git-Tag: v1.0-rc4~6
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=45009a3087b4acd8b1c91fcd0b1ee723ac3b0aec;p=qemu-xen-4.6-testing.git

x86/cpuid: Tighten parsing of tsc_freq=FREQ

cpu_x86_find_by_name() uses strtosz_suffix_unit(), but screws up the
error checking.  It detects some failures, but not all.  Undetected
failures result in a zero tsc_khz value (error value -1 divided by
1000), which means "no tsc_freq set".

To reproduce, try "-cpu qemu64,tsc_freq=9999999T".
strtosz_suffix_unit() fails, because the value overflows int64_t,

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
---

diff --git a/target-i386/cpuid.c b/target-i386/cpuid.c
index 9fc9769ed..0b3af9060 100644
--- a/target-i386/cpuid.c
+++ b/target-i386/cpuid.c
@@ -711,7 +711,7 @@ static int cpu_x86_find_by_name(x86_def_t *x86_cpu_def, const char *cpu_model)
 
                 tsc_freq = strtosz_suffix_unit(val, &err,
                                                STRTOSZ_DEFSUFFIX_B, 1000);
-                if (!*val || *err) {
+                if (tsc_freq < 0 || *err) {
                     fprintf(stderr, "bad numerical value %s\n", val);
                     goto error;
                 }