From nobody Fri Apr 19 21:22:54 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1526479426100492.2150597786359; Wed, 16 May 2018 07:03:46 -0700 (PDT) Received: from localhost ([::1]:47893 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fIx1t-000275-CK for importer@patchew.org; Wed, 16 May 2018 10:03:45 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35288) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fIwxT-0007Wh-B4 for qemu-devel@nongnu.org; Wed, 16 May 2018 09:59:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fIwxN-00064P-SD for qemu-devel@nongnu.org; Wed, 16 May 2018 09:59:11 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:54380 helo=mx1.redhat.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fIwxE-00060S-Pj; Wed, 16 May 2018 09:58:56 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DC97C81663C0; Wed, 16 May 2018 13:58:55 +0000 (UTC) Received: from dhcp19-241-177.khw3.lab.eng.bos.redhat.com (gigabyte-r120-16.khw3.lab.eng.bos.redhat.com [10.19.240.61]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9B6972026E0E; Wed, 16 May 2018 13:58:55 +0000 (UTC) From: Eric Auger To: eric.auger.pro@gmail.com, eric.auger@redhat.com, qemu-devel@nongnu.org, qemu-arm@nongnu.org, peter.maydell@linaro.org Date: Wed, 16 May 2018 14:03:03 -0400 Message-Id: <1526493784-25328-2-git-send-email-eric.auger@redhat.com> In-Reply-To: <1526493784-25328-1-git-send-email-eric.auger@redhat.com> References: <1526493784-25328-1-git-send-email-eric.auger@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Wed, 16 May 2018 13:58:55 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Wed, 16 May 2018 13:58:55 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'eric.auger@redhat.com' RCPT:'' X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 66.187.233.73 Subject: [Qemu-devel] [PATCH 1/2] hw/arm/smmuv3: Fix Coverity issue in smmuv3_record_event X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Coverity complains about use of uninitialized Evt struct. The EVT_SET_TYPE and similar setters use deposit32() on fields in the struct, so they read the uninitialized existing values. In cases where we don't set all the fields in the event struct we'll end up leaking random uninitialized data from QEMU's stack into the guest. Initializing the struct with "Evt evt =3D {};" ought to satisfy Coverity and fix the data leak. Signed-off-by: Eric Auger Reported-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- hw/arm/smmuv3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c index b3026de..42dc521 100644 --- a/hw/arm/smmuv3.c +++ b/hw/arm/smmuv3.c @@ -143,7 +143,7 @@ static MemTxResult smmuv3_write_eventq(SMMUv3State *s, = Evt *evt) =20 void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *info) { - Evt evt; + Evt evt =3D {}; MemTxResult r; =20 if (!smmuv3_eventq_enabled(s)) { --=20 1.8.3.1 From nobody Fri Apr 19 21:22:54 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1526479256818776.9421431907562; Wed, 16 May 2018 07:00:56 -0700 (PDT) Received: from localhost ([::1]:47824 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fIwzA-00005J-0c for importer@patchew.org; Wed, 16 May 2018 10:00:56 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35212) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fIwxK-0007LE-Sn for qemu-devel@nongnu.org; Wed, 16 May 2018 09:59:03 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fIwxK-00062X-3W for qemu-devel@nongnu.org; Wed, 16 May 2018 09:59:02 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:51178 helo=mx1.redhat.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fIwxE-00060X-Ps; Wed, 16 May 2018 09:58:56 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 39CC5402382B; Wed, 16 May 2018 13:58:56 +0000 (UTC) Received: from dhcp19-241-177.khw3.lab.eng.bos.redhat.com (gigabyte-r120-16.khw3.lab.eng.bos.redhat.com [10.19.240.61]) by smtp.corp.redhat.com (Postfix) with ESMTP id E93BF2024CBB; Wed, 16 May 2018 13:58:55 +0000 (UTC) From: Eric Auger To: eric.auger.pro@gmail.com, eric.auger@redhat.com, qemu-devel@nongnu.org, qemu-arm@nongnu.org, peter.maydell@linaro.org Date: Wed, 16 May 2018 14:03:04 -0400 Message-Id: <1526493784-25328-3-git-send-email-eric.auger@redhat.com> In-Reply-To: <1526493784-25328-1-git-send-email-eric.auger@redhat.com> References: <1526493784-25328-1-git-send-email-eric.auger@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Wed, 16 May 2018 13:58:56 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Wed, 16 May 2018 13:58:56 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'eric.auger@redhat.com' RCPT:'' X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 66.187.233.73 Subject: [Qemu-devel] [PATCH 2/2] hw/arm/smmu-common: Fix coverity issue in get_block_pte_address X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Coverity points out that this can overflow if n > 31, because it's only doing 32-bit arithmetic. Let's use 1ULL instead of 1. Also the formulae used to compute n can be replaced by the level_shift() macro. Reported-by: Peter Maydell Signed-off-by: Eric Auger Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- hw/arm/smmu-common.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c index 01c7be8..3c5f724 100644 --- a/hw/arm/smmu-common.c +++ b/hw/arm/smmu-common.c @@ -83,9 +83,9 @@ static inline hwaddr get_table_pte_address(uint64_t pte, = int granule_sz) static inline hwaddr get_block_pte_address(uint64_t pte, int level, int granule_sz, uint64_t *bsz) { - int n =3D (granule_sz - 3) * (4 - level) + 3; + int n =3D level_shift(level, granule_sz); =20 - *bsz =3D 1 << n; + *bsz =3D 1ULL << n; return PTE_ADDRESS(pte, n); } =20 --=20 1.8.3.1