hw: misc: edu: two off-by-one errors
Host environment
- Operating system: irrelevant
- OS/kernel version: irrelevant
- Architecture: irrelevant
- QEMU flavor: all
- QEMU version: 2ba341b3
- QEMU command line:
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m 512M -device edu -
nodefaults -qtest stdio
outl 0xcf8 0x80001010
outl 0xcfc 0xe0000000
outl 0xcf8 0x80001004
outw 0xcfc 0x02
write 0xe0000080 0x4 0x00001000
write 0xe0000088 0x4 0x00001000
write 0xe0000090 0x4 0x00100000
write 0xe0000098 0x4 0x03000000
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
EOF
Emulated/Virtualized environment
- Operating system: irrelevant
- OS/kernel version: irrelevant
- Architecture: irrelevant
Description of problem
In hw/misc/edu.c
, edu_check_range()
fails for boundary conditions where size2 == 0
and size2 == size1
.
Steps to reproduce
Two ways to reproduce (attached test program, foo.c)
error:
gcc -o foo foo.c
./foo
fix:
gcc -DFIXED -o foo foo.c
./foo
Using qtest
: (see "QEMU command line" above).
Additional information
(output of foo
without fix):
EDU: DMA range 0x0000000000000000-0x0000000000000fff out of bounds (0x0000000000000000-0xffffffffffffffff)!
EDU: DMA range 0x0000000000000000-0x0000000000000fff out of bounds (0x0000000000000000-0x0000000000000fff)!
Output of qtest
without the fix:
qemu: hardware error: EDU: DMA range 0x0000000000000000-0x0000000000000fff out of bounds (0x0000000000040000-0x0000000000040fff)!
CPU #0:
EAX=00000000 EBX=00000000 ECX=00000000 EDX=00000663
ESI=00000000 EDI=00000000 EBP=00000000 ESP=00000000
EIP=0000fff0 EFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 00000000 0000ffff 00009300
CS =f000 ffff0000 0000ffff 00009b00
SS =0000 00000000 0000ffff 00009300
DS =0000 00000000 0000ffff 00009300
FS =0000 00000000 0000ffff 00009300
GS =0000 00000000 0000ffff 00009300
LDT=0000 00000000 0000ffff 00008200
TR =0000 00000000 0000ffff 00008b00
GDT= 00000000 0000ffff
IDT= 00000000 0000ffff
CR0=60000010 CR2=00000000 CR3=00000000 CR4=00000000
DR0=00000000 DR1=00000000 DR2=00000000 DR3=00000000
DR6=ffff0ff0 DR7=00000400
EFER=0000000000000000
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=0000000000000000 0000000000000000 XMM01=0000000000000000 0000000000000000
XMM02=0000000000000000 0000000000000000 XMM03=0000000000000000 0000000000000000
XMM04=0000000000000000 0000000000000000 XMM05=0000000000000000 0000000000000000
XMM06=0000000000000000 0000000000000000 XMM07=0000000000000000 0000000000000000
Patch has been submitted to qemu-devel
Edited by Christopher Friedt