From nobody Fri May 3 19:40:12 2024 Delivered-To: importer@patchew.org Received-SPF: temperror (zoho.com: Error in retrieving data from DNS) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=temperror (zoho.com: Error in retrieving data from DNS) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (208.118.235.17 [208.118.235.17]) by mx.zohomail.com with SMTPS id 15076509829644.0937757517892805; Tue, 10 Oct 2017 08:56:22 -0700 (PDT) Received: from localhost ([::1]:35753 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e1wsx-0002RJ-BM for importer@patchew.org; Tue, 10 Oct 2017 11:55:59 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:51557) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e1wrX-0001PK-1T for qemu-devel@nongnu.org; Tue, 10 Oct 2017 11:54:31 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e1wrR-0000Yd-LT for qemu-devel@nongnu.org; Tue, 10 Oct 2017 11:54:31 -0400 Received: from orth.archaic.org.uk ([2001:8b0:1d0::2]:37820) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1e1wrP-0000Vy-3w; Tue, 10 Oct 2017 11:54:23 -0400 Received: from pm215 by orth.archaic.org.uk with local (Exim 4.89) (envelope-from ) id 1e1wrG-0005wO-9i; Tue, 10 Oct 2017 16:54:14 +0100 From: Peter Maydell To: qemu-arm@nongnu.org, qemu-devel@nongnu.org Date: Tue, 10 Oct 2017 16:54:16 +0100 Message-Id: <1507650856-11718-1-git-send-email-peter.maydell@linaro.org> X-Mailer: git-send-email 2.7.4 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2001:8b0:1d0::2 Subject: [Qemu-devel] [PATCH] nvic: Fix miscalculation of offsets into ITNS array X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Richard Henderson , patches@linaro.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_6 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" This calculation of the first exception vector in the ITNS register being accessed: int startvec =3D 32 * (offset - 0x380) + NVIC_FIRST_IRQ; is incorrect, because offset is in bytes, so we only want to multiply by 8. Spotted by Coverity (CID 1381484, CID 1381488), though it is not correct that it actually overflows the buffer, because we have a 'startvec + i < s->num_irq' guard. Signed-off-by: Peter Maydell Reviewed-by: Richard Henderson --- Oops. I guess this is what Coverity is there to catch :-) hw/intc/armv7m_nvic.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c index 22d5e6e..201e90f 100644 --- a/hw/intc/armv7m_nvic.c +++ b/hw/intc/armv7m_nvic.c @@ -698,7 +698,7 @@ static uint32_t nvic_readl(NVICState *s, uint32_t offse= t, MemTxAttrs attrs) return ((s->num_irq - NVIC_FIRST_IRQ) / 32) - 1; case 0x380 ... 0x3bf: /* NVIC_ITNS */ { - int startvec =3D 32 * (offset - 0x380) + NVIC_FIRST_IRQ; + int startvec =3D 8 * (offset - 0x380) + NVIC_FIRST_IRQ; int i; =20 if (!arm_feature(&cpu->env, ARM_FEATURE_V8)) { @@ -1102,7 +1102,7 @@ static void nvic_writel(NVICState *s, uint32_t offset= , uint32_t value, switch (offset) { case 0x380 ... 0x3bf: /* NVIC_ITNS */ { - int startvec =3D 32 * (offset - 0x380) + NVIC_FIRST_IRQ; + int startvec =3D 8 * (offset - 0x380) + NVIC_FIRST_IRQ; int i; =20 if (!arm_feature(&cpu->env, ARM_FEATURE_V8)) { --=20 2.7.4