On 03/10/20 18:15, Alex Williamson wrote:
> vfio_rom_read() relies on memcpy() doing the logically correct thing,
> ie. safely copying zero bytes from a NULL pointer when rom_size is
> zero, rather than the spec definition, which is undefined when the
> source or target pointers are NULL. Resolve this by wrapping the
> call in the condition expressed previously by the ternary.
>
> Additionally, we still use @val to fill data based on the provided
> @size regardless of mempcy(), so we should initialize @val rather
> than @data.
>
> Reported-by: Longpeng <longpe...@huawei.com>
> Reported-by: Laszlo Ersek <ler...@redhat.com>
> Signed-off-by: Alex Williamson <alex.william...@redhat.com>
> ---
> hw/vfio/pci.c | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
> index 5e75a95129ac..b0799cdc28ad 100644
> --- a/hw/vfio/pci.c
> +++ b/hw/vfio/pci.c
> @@ -859,16 +859,17 @@ static uint64_t vfio_rom_read(void *opaque, hwaddr
> addr, unsigned size)
> uint16_t word;
> uint32_t dword;
> uint64_t qword;
> - } val;
> - uint64_t data = 0;
> + } val = { 0 };
> + uint64_t data;
>
> /* Load the ROM lazily when the guest tries to read it */
> if (unlikely(!vdev->rom && !vdev->rom_read_failed)) {
> vfio_pci_load_rom(vdev);
> }
>
> - memcpy(&val, vdev->rom + addr,
> - (addr < vdev->rom_size) ? MIN(size, vdev->rom_size - addr) : 0);
> + if (addr < vdev->rom_size) {
> + memcpy(&val, vdev->rom + addr, MIN(size, vdev->rom_size - addr));
> + }
>
> switch (size) {
> case 1:
>
sorry I'm processing my INBOX in basically... random order. :/
So as I stated in the earlier thread, I suggest casting "vdev->rom" to a
character type, before the addition operator "+" binds.
With that:
Reviewed-by: Laszlo Ersek <ler...@redhat.com>
Thanks
Laszlo
