packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
qemu/ipmi-smbus-Add-a-check-around-a-memcpy.patch

48 lines
1.6 KiB
Diff
Raw Normal View History

QEMU update to version 6.2.0-90 - i386/cpuid: Move leaf 7 to correct group - i386/cpuid: Decrease cpuid_i when skipping CPUID leaf 1F - i386/cpu: Mask with XCR0/XSS mask for FEAT_XSAVE_XCR0_HI and FEAT_XSAVE_XSS_HI leafs - i386/cpu: Clear FEAT_XSAVE_XSS_LO/HI leafs when CPUID_EXT_XSAVE is not available - target/i386: Change wrong XFRM value in SGX CPUID leaf - target/i386: Enable support for XSAVES based features - target/i386: Add kvm_get_one_msr helper - hw/block/hd-geometry: Do not override specified bios-chs-trans mainline inclusion commit fd8a68ad6823d33bedeba20a22857867a1c3890e category: bugfix - linux-user/riscv: Align signal frame to 16 bytes mainline inclusion commit 1eaa63429a9944265c92efdb94c02fabb231f564 category: bugfix - ipmi:smbus: Add a check around a memcpy mainline inclusion commit 3fde641e7286f9b968bdb3b4b922c6465f2a9abc category: bugfix - tests/tcg/linux-test: Fix random hangs in test_socket mainline inclusion commit b9e6074fc5b429b1e956e9c60db7e284a91e0f3d category: bugfix - qemu-options.hx: Don't claim "-serial" has limit of 4 serial ports Before v2.12, the implementation of serial ports was limited to a value of MAX_SERIAL_PORTS = 4. We now dynamically allocate the data structures for serial ports, so this limit is no longer present, but the documentation for the -serial options still reads: - target/ppc: Modify the uncorrect value irq to n_IRQ - block-migration: Ensure we don't crash during migration cleanup - target/s390x: fix handling of zeroes in vfmin/vfmax mainline inclusion commit 13c59eb09bd6d1fbc13f08b708226421f14a232b category: bugfix - hw/virtio/virtio-iommu: Enforce power-of-two notify for both MAP and UNMAP mainline inclusion commit 0522be9a0c0094088ccef7aab352c57f483ca250 category: bugfix - configure: Add missing POSIX-required space mainline inclusion commit 35a7a6fc5624b1df828d82f2dfa74d0e4188b3b2 category: bugfix - vga: fix incorrect line height in 640x200x2 mode mainline inclusion commit 37e7b86766244b62a406747bb78e049390d0b528 category: bugfix - hw/ide/core: set ERR_STAT in unsupported command completion - linux-user/flatload.c: Fix setting of image_info::end_code mainline inclusion commit 734a659ad264ac080457167e845ffabbaaa66d0e category: bugfix - load_elf: fix iterator's type for elf file processing - hw/misc/mps2-scc: Free MPS2SCC::oscclk[] array on finalize() - hw/nvram/xlnx-efuse: Free XlnxEFuse::ro_bits[] array on finalize() - hw/nvram/xlnx-efuse-ctrl: Free XlnxVersalEFuseCtrl[] "pg0-lock" array - chardev/char.c: fix "abstract device type" error message - block/rbd: fix handling of holes in .bdrv_co_block_status - qga: treat get-guest-fsinfo as "best effort" mainline inclusion commit bbb0151cf2e82489120a15df5e2eb9653312b0ec category: bugfix - usb/hcd-xhci: check slotid in xhci_wakeup_endpoint() mainline inclusion commit 84218892f05515d20347fde4506e1944eb11cb25 category: bugfix - hw/display/bcm2835_fb: Fix framebuffer allocation address mainline inclusion commit 5865d99fe88d8c8fa437c18c6b63fb2a8165634f category: bugfix - block/parallels: Fix buffer-based write call mainline inclusion commit eba088f91d21d9e42a81bef847173da30c5da961 category: bugfix - vl: Improve error message for conflicting -incoming and -loadvm - hw/smbios: Fix OEM strings table option validation Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
2024-03-16 14:59:18 +08:00
From d9f1221c0f4ff778e5e11d71519dfe1fe2f37e28 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Thu, 21 Mar 2024 03:16:54 +0000
Subject: [PATCH] ipmi:smbus: Add a check around a memcpy mainline inclusion
commit 3fde641e7286f9b968bdb3b4b922c6465f2a9abc category: bugfix
---------------------------------------------------------------
In one case:
memcpy(sid->inmsg + sid->inlen, buf, len);
if len == 0 then sid->inmsg + sig->inlen can point to one past the inmsg
array if the array is full. We have to allow len == 0 due to some
vagueness in the spec, but we don't have to call memcpy.
Found by Coverity. This is not a problem in practice, but the results
are technically (maybe) undefined. So make Coverity happy.
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/ipmi/smbus_ipmi.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/hw/ipmi/smbus_ipmi.c b/hw/ipmi/smbus_ipmi.c
index 1fdf0a66b6..1591211a86 100644
--- a/hw/ipmi/smbus_ipmi.c
+++ b/hw/ipmi/smbus_ipmi.c
@@ -280,7 +280,9 @@ static int ipmi_write_data(SMBusDevice *dev, uint8_t *buf, uint8_t len)
*/
send = true;
}
- memcpy(sid->inmsg + sid->inlen, buf, len);
+ if (len > 0) {
+ memcpy(sid->inmsg + sid->inlen, buf, len);
+ }
sid->inlen += len;
break;
}
--
2.27.0
Reference in New Issue Copy Permalink