<html><head><meta name="color-scheme" content="light dark"></head><body><pre style="word-wrap: break-word; white-space: pre-wrap;">From 1864c7d06b6c966141f1c049a79bba5b77d21b4e Mon Sep 17 00:00:00 2001
From: Xiao Wang &lt;jasowang@redhat.com&gt;
Date: Tue, 7 Jul 2015 09:19:06 +0200
Subject: [PATCH 092/100] virito-pci: fix OVERRUN problem

Message-id: &lt;1436260751-25015-64-git-send-email-jasowang@redhat.com&gt;
Patchwork-id: 66838
O-Subject: [RHEL7.2 qemu-kvm-rhev PATCH V2 63/68] virito-pci: fix OVERRUN problem
Bugzilla: 1227343
RH-Acked-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;
RH-Acked-by: David Gibson &lt;dgibson@redhat.com&gt;
RH-Acked-by: Laurent Vivier &lt;lvivier@redhat.com&gt;
RH-Acked-by: Thomas Huth &lt;thuth@redhat.com&gt;

From: Gonglei &lt;arei.gonglei@huawei.com&gt;

Overrunning array "proxy-&gt;guest_features" of 2 4-byte
elements at element index 2 (byte offset 8) using index
"proxy-&gt;gfselect" (which evaluates to 2). Normally, the
Linux kernel driver just read/write '0' or '1' as the
"proxy-&gt;gfselect" values, so using '&lt;' instead of '=&lt;' to
make coverity happy and avoid potential harm.

Cc: Michael S. Tsirkin &lt;mst@redhat.com&gt;
Signed-off-by: Gonglei &lt;arei.gonglei@huawei.com&gt;
Reviewed-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;
Signed-off-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;

(cherry picked from commit 3750dabc69d76f0938cc726a64a70e4ae2fe21df)
Signed-off-by: Miroslav Rezanina &lt;mrezanin@redhat.com&gt;
---
 hw/virtio/virtio-pci.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
index 1aba4e2..9b5f009 100644
--- a/hw/virtio/virtio-pci.c
+++ b/hw/virtio/virtio-pci.c
@@ -977,7 +977,7 @@ static uint64_t virtio_pci_common_read(void *opaque, hwaddr addr,
         val = proxy-&gt;gfselect;
         break;
     case VIRTIO_PCI_COMMON_GF:
-        if (proxy-&gt;gfselect &lt;= ARRAY_SIZE(proxy-&gt;guest_features)) {
+        if (proxy-&gt;gfselect &lt; ARRAY_SIZE(proxy-&gt;guest_features)) {
             val = proxy-&gt;guest_features[proxy-&gt;gfselect];
         }
         break;
@@ -1052,7 +1052,7 @@ static void virtio_pci_common_write(void *opaque, hwaddr addr,
         proxy-&gt;gfselect = val;
         break;
     case VIRTIO_PCI_COMMON_GF:
-        if (proxy-&gt;gfselect &lt;= ARRAY_SIZE(proxy-&gt;guest_features)) {
+        if (proxy-&gt;gfselect &lt; ARRAY_SIZE(proxy-&gt;guest_features)) {
             proxy-&gt;guest_features[proxy-&gt;gfselect] = val;
             virtio_set_features(vdev,
                                 (((uint64_t)proxy-&gt;guest_features[1]) &lt;&lt; 32) |
-- 
1.8.3.1

</pre></body></html>