[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-ppc] [PATCH V2 2/3] spapr: Fix integer overflow during migration (
From: |
Samuel Mendoza-Jonas |
Subject: |
[Qemu-ppc] [PATCH V2 2/3] spapr: Fix integer overflow during migration (TCG) |
Date: |
Mon, 17 Nov 2014 15:12:29 +1100 |
The n_valid and n_invalid fields are unsigned short integers but it is
possible to have more than 65535 entries in a contiguous hunk, overflowing
the field. This results in an incorrect HTAB being sent to the destination
during migration.
Signed-off-by: Samuel Mendoza-Jonas <address@hidden>
---
hw/ppc/spapr.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index eb07343..10b7b00 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -1045,7 +1045,7 @@ static void htab_save_first_pass(QEMUFile *f,
sPAPREnvironment *spapr,
/* Consume valid HPTEs */
chunkstart = index;
- while ((index < htabslots)
+ while ((index < htabslots) && (index - chunkstart < USHRT_MAX)
&& HPTE_VALID(HPTE(spapr->htab, index))) {
index++;
CLEAN_HPTE(HPTE(spapr->htab, index));
@@ -1097,7 +1097,7 @@ static int htab_save_later_pass(QEMUFile *f,
sPAPREnvironment *spapr,
chunkstart = index;
/* Consume valid dirty HPTEs */
- while ((index < htabslots)
+ while ((index < htabslots) && (index - chunkstart < USHRT_MAX)
&& HPTE_DIRTY(HPTE(spapr->htab, index))
&& HPTE_VALID(HPTE(spapr->htab, index))) {
CLEAN_HPTE(HPTE(spapr->htab, index));
@@ -1107,7 +1107,7 @@ static int htab_save_later_pass(QEMUFile *f,
sPAPREnvironment *spapr,
invalidstart = index;
/* Consume invalid dirty HPTEs */
- while ((index < htabslots)
+ while ((index < htabslots) && (index - invalidstart < USHRT_MAX)
&& HPTE_DIRTY(HPTE(spapr->htab, index))
&& !HPTE_VALID(HPTE(spapr->htab, index))) {
CLEAN_HPTE(HPTE(spapr->htab, index));
--
1.9.3