On 22 October 2018 at 19:10, P J P <ppan...@redhat.com> wrote: > From: Prasad J Pandit <p...@fedoraproject.org> > > While performing gpio write via strongarm_gpio_handler_update > routine, the 'bit' index could access beyond s->handler[28] array. > Add check to avoid OOB access. > > Reported-by: Moguofang <moguof...@huawei.com> > Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> > --- > hw/arm/strongarm.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > Update v1: use ARRAY_SIZE macro > -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg04826.html >
Hi; thanks for this patch. Looking at the SA1110 manual, it says that writes to the reserved bits [31:28] are ignored. So I think that rather than doing this check here, we should do what the strongarm_ppc_* code in the same file does -- mask off the high bits for writes to the direction and state registers. Then it will not be possible for high bits to be set here that cause an out-of-range array access. Side note: this device is used only in the "collie" machine model, which only works via TCG, so this is not a security issue, just a bug (which will only be visible if the guest is buggy.) thanks -- PMM