diff options
author | Samuel Mendoza-Jonas <sam.mj@au1.ibm.com> | 2014-11-17 15:12:29 +1100 |
---|---|---|
committer | Alexander Graf <agraf@suse.de> | 2015-01-07 16:16:26 +0100 |
commit | 338c25b6929b5436a42aaa106c7e9136cf1ff4dc (patch) | |
tree | 1878b0cf554ee790bfc8528ac5f737119273d7f9 /hw/ppc/spapr.c | |
parent | 01a579729b2e614bd02b25c8504976eeecb64eff (diff) |
spapr: Fix integer overflow during migration (TCG)
The n_valid and n_invalid fields are unsigned short integers but it is
possible to have more than 65535 entries in a contiguous hunk, overflowing
the field. This results in an incorrect HTAB being sent to the destination
during migration.
Signed-off-by: Samuel Mendoza-Jonas <sam.mj@au1.ibm.com>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Alexander Graf <agraf@suse.de>
Diffstat (limited to 'hw/ppc/spapr.c')
-rw-r--r-- | hw/ppc/spapr.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c index 869b72125a..765a44c133 100644 --- a/hw/ppc/spapr.c +++ b/hw/ppc/spapr.c @@ -1065,7 +1065,7 @@ static void htab_save_first_pass(QEMUFile *f, sPAPREnvironment *spapr, /* Consume valid HPTEs */ chunkstart = index; - while ((index < htabslots) + while ((index < htabslots) && (index - chunkstart < USHRT_MAX) && HPTE_VALID(HPTE(spapr->htab, index))) { index++; CLEAN_HPTE(HPTE(spapr->htab, index)); @@ -1117,7 +1117,7 @@ static int htab_save_later_pass(QEMUFile *f, sPAPREnvironment *spapr, chunkstart = index; /* Consume valid dirty HPTEs */ - while ((index < htabslots) + while ((index < htabslots) && (index - chunkstart < USHRT_MAX) && HPTE_DIRTY(HPTE(spapr->htab, index)) && HPTE_VALID(HPTE(spapr->htab, index))) { CLEAN_HPTE(HPTE(spapr->htab, index)); @@ -1127,7 +1127,7 @@ static int htab_save_later_pass(QEMUFile *f, sPAPREnvironment *spapr, invalidstart = index; /* Consume invalid dirty HPTEs */ - while ((index < htabslots) + while ((index < htabslots) && (index - invalidstart < USHRT_MAX) && HPTE_DIRTY(HPTE(spapr->htab, index)) && !HPTE_VALID(HPTE(spapr->htab, index))) { CLEAN_HPTE(HPTE(spapr->htab, index)); |