Hello Paolo,
+-- On Mon, 25 Jan 2016, Paolo Bonzini wrote --+
| This should be handled correctly by address_space_translate_internal:
|
| if (memory_region_is_ram(mr)) {
| diff = int128_sub(section->size, int128_make64(addr));
| *plen = int128_get64(int128_min(diff, int128_make64(*plen)));
| }
|
| ... then, on return from address_space_translate, l will be 1:
|
| e.g. section->size = 0x100000000, addr = 0xffffffff;
| diff = 1;
| *plen = min(diff, *plen) = min(1, 4) = 1
I see. Sorry, I think the issue affects versions <= v2.3.1 and not v2.4.x.
v2.3.x series seems to be missing this patch
->
http://git.qemu.org/?p=qemu.git;a=commit;h=23820dbfc79d1c9dce090b4c555994f2bb6a69b3
which avoids setting '*plen' to its earlier value. I'll send it to the -stable
list.
| You also have to test that the patch doesn't break other code. It's not
| enough to test that it solves your problem.
Right, I'll run the tests/* going forward.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
