hw/ssi/xilinx_spips.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
Coverity found that the variable tx_rx in the function
xilinx_spips_flush_txfifo was being used uninitialized (CID 1383841). This
patch corrects this by always initializing tx_rx to zeros.
Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com>
---
hw/ssi/xilinx_spips.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index d8187fa..77e1bbe 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -210,6 +210,8 @@
#define SNOOP_NONE 0xEE
#define SNOOP_STRIPING 0
+#define MAX_NUM_EFFECTIVE_BUSSES 2
+
static inline int num_effective_busses(XilinxSPIPS *s)
{
return (s->regs[R_LQSPI_CFG] & LQSPI_CFG_SEP_BUS &&
@@ -573,7 +575,7 @@ static void xilinx_spips_flush_txfifo(XilinxSPIPS *s)
for (;;) {
int i;
uint8_t tx = 0;
- uint8_t tx_rx[num_effective_busses(s)];
+ uint8_t tx_rx[MAX_NUM_EFFECTIVE_BUSSES] = { 0 };
uint8_t dummy_cycles = 0;
uint8_t addr_length;
--
2.9.3
On 14 January 2018 at 22:55, Francisco Iglesias
<frasse.iglesias@gmail.com> wrote:
> Coverity found that the variable tx_rx in the function
> xilinx_spips_flush_txfifo was being used uninitialized (CID 1383841). This
> patch corrects this by always initializing tx_rx to zeros.
>
> Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com>
> ---
> hw/ssi/xilinx_spips.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
> index d8187fa..77e1bbe 100644
> --- a/hw/ssi/xilinx_spips.c
> +++ b/hw/ssi/xilinx_spips.c
> @@ -210,6 +210,8 @@
> #define SNOOP_NONE 0xEE
> #define SNOOP_STRIPING 0
>
> +#define MAX_NUM_EFFECTIVE_BUSSES 2
> +
> static inline int num_effective_busses(XilinxSPIPS *s)
> {
> return (s->regs[R_LQSPI_CFG] & LQSPI_CFG_SEP_BUS &&
> @@ -573,7 +575,7 @@ static void xilinx_spips_flush_txfifo(XilinxSPIPS *s)
> for (;;) {
> int i;
> uint8_t tx = 0;
> - uint8_t tx_rx[num_effective_busses(s)];
> + uint8_t tx_rx[MAX_NUM_EFFECTIVE_BUSSES] = { 0 };
> uint8_t dummy_cycles = 0;
> uint8_t addr_length;
It doesn't look like your device's realize method is sanity checking
the num_busses property, so this change means that the user can
make the device model segfault by passing it a num_busses property
value larger than 2...
thanks
-- PMM
On Tuesday, 16 January 2018, Peter Maydell <peter.maydell@linaro.org> wrote:
> On 14 January 2018 at 22:55, Francisco Iglesias
> <frasse.iglesias@gmail.com> wrote:
> > Coverity found that the variable tx_rx in the function
> > xilinx_spips_flush_txfifo was being used uninitialized (CID 1383841).
> This
> > patch corrects this by always initializing tx_rx to zeros.
> >
> > Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com>
> > ---
> > hw/ssi/xilinx_spips.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
> > index d8187fa..77e1bbe 100644
> > --- a/hw/ssi/xilinx_spips.c
> > +++ b/hw/ssi/xilinx_spips.c
> > @@ -210,6 +210,8 @@
> > #define SNOOP_NONE 0xEE
> > #define SNOOP_STRIPING 0
> >
> > +#define MAX_NUM_EFFECTIVE_BUSSES 2
> > +
> > static inline int num_effective_busses(XilinxSPIPS *s)
> > {
> > return (s->regs[R_LQSPI_CFG] & LQSPI_CFG_SEP_BUS &&
> > @@ -573,7 +575,7 @@ static void xilinx_spips_flush_txfifo(XilinxSPIPS
> *s)
> > for (;;) {
> > int i;
> > uint8_t tx = 0;
> > - uint8_t tx_rx[num_effective_busses(s)];
> > + uint8_t tx_rx[MAX_NUM_EFFECTIVE_BUSSES] = { 0 };
> > uint8_t dummy_cycles = 0;
> > uint8_t addr_length;
>
> It doesn't look like your device's realize method is sanity checking
> the num_busses property, so this change means that the user can
> make the device model segfault by passing it a num_busses property
> value larger than 2...
>
> thanks
> -- PMM
>
Hi Peter,
Thank you very much for reviewing the patch and I apologize for missing out
on above. I'll look into a correction and create a new version of the patch.
Best regards,
Francisco Iglesias
© 2016 - 2026 Red Hat, Inc.