[Qemu-devel] [PATCH] target-i386: pc: fix crash when attempting hotplug CPU with negative ID
QMP command { 'execute': 'cpu-add', 'arguments': { 'id': -1 }} may cause
QEMU SIGSEGV at:
piix4_cpu_hotplug_req ()
...
g-sts[cpu_id / 8] |= (1 (cpu_id % 8));
...
Since for PC in current implementation id should be in range [0...maxcpus)
and maxcpus already checked, add check for lower bound and error out
on incorrect value.
Signed-off-by: Igor Mammedov imamm...@redhat.com
---
hw/i386/pc.c |5 +
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 197d218..e2c44f8 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -927,6 +927,11 @@ void pc_hot_add_cpu(const int64_t id, Error **errp)
DeviceState *icc_bridge;
int64_t apic_id = x86_cpu_apic_id_from_index(id);
+if (id 0) {
+error_setg(errp, Invalid CPU id: % PRIi64, id);
+return;
+}
+
if (cpu_exists(apic_id)) {
error_setg(errp, Unable to add CPU: % PRIi64
, it already exists, id);
--
1.7.1
Re: [Qemu-devel] [PATCH] target-i386: pc: fix crash when attempting hotplug CPU with negative ID
Am 30.05.2013 17:09, schrieb Igor Mammedov:
QMP command { 'execute': 'cpu-add', 'arguments': { 'id': -1 }} may cause
QEMU SIGSEGV at:
piix4_cpu_hotplug_req ()
...
g-sts[cpu_id / 8] |= (1 (cpu_id % 8));
...
Since for PC in current implementation id should be in range [0...maxcpus)
and maxcpus already checked, add check for lower bound and error out
on incorrect value.
Signed-off-by: Igor Mammedov imamm...@redhat.com
---
hw/i386/pc.c |5 +
1 files changed, 5 insertions(+), 0 deletions(-)
Thanks, applied to qom-cpu (with commit message massaged a bit):
https://github.com/afaerber/qemu-cpu/commits/qom-cpu
Andreas
--
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg
