blob: 6db169c496680aabcf8176c4e44beed2fdd81099 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
|
graphic: 0.662
device: 0.614
performance: 0.610
peripherals: 0.468
socket: 0.378
architecture: 0.365
user-level: 0.365
network: 0.328
semantic: 0.286
hypervisor: 0.262
x86: 0.250
PID: 0.243
assembly: 0.239
kernel: 0.222
mistranslation: 0.221
files: 0.213
boot: 0.206
VMM: 0.205
vnc: 0.201
register: 0.201
virtual: 0.193
ppc: 0.184
KVM: 0.183
permissions: 0.176
debug: 0.167
TCG: 0.156
i386: 0.150
risc-v: 0.132
arm: 0.099
hw: misc: edu: two off-by-one errors
Description of problem:
In `hw/misc/edu.c`, `edu_check_range()` fails for boundary conditions where `size2 == 0` and `size2 == size1`.
Steps to reproduce:
Two ways to reproduce (attached test program, [foo.c](/uploads/9cbef4f72d175b8336b58f607e262d7b/foo.c))
error:
1. `gcc -o foo foo.c`
2. `./foo`
fix:
1. `gcc -DFIXED -o foo foo.c`
2. `./foo`
Using `qtest`: (see "QEMU command line" above).
Additional information:
(output of `foo` without fix):
```
EDU: DMA range 0x0000000000000000-0x0000000000000fff out of bounds (0x0000000000000000-0xffffffffffffffff)!
EDU: DMA range 0x0000000000000000-0x0000000000000fff out of bounds (0x0000000000000000-0x0000000000000fff)!
```
Output of `qtest` without the fix:
```
qemu: hardware error: EDU: DMA range 0x0000000000000000-0x0000000000000fff out of bounds (0x0000000000040000-0x0000000000040fff)!
CPU #0:
EAX=00000000 EBX=00000000 ECX=00000000 EDX=00000663
ESI=00000000 EDI=00000000 EBP=00000000 ESP=00000000
EIP=0000fff0 EFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 00000000 0000ffff 00009300
CS =f000 ffff0000 0000ffff 00009b00
SS =0000 00000000 0000ffff 00009300
DS =0000 00000000 0000ffff 00009300
FS =0000 00000000 0000ffff 00009300
GS =0000 00000000 0000ffff 00009300
LDT=0000 00000000 0000ffff 00008200
TR =0000 00000000 0000ffff 00008b00
GDT= 00000000 0000ffff
IDT= 00000000 0000ffff
CR0=60000010 CR2=00000000 CR3=00000000 CR4=00000000
DR0=00000000 DR1=00000000 DR2=00000000 DR3=00000000
DR6=ffff0ff0 DR7=00000400
EFER=0000000000000000
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=0000000000000000 0000000000000000 XMM01=0000000000000000 0000000000000000
XMM02=0000000000000000 0000000000000000 XMM03=0000000000000000 0000000000000000
XMM04=0000000000000000 0000000000000000 XMM05=0000000000000000 0000000000000000
XMM06=0000000000000000 0000000000000000 XMM07=0000000000000000 0000000000000000
```
Patch has been submitted to `qemu-devel`
|