In rtas_nvram_fetch() and rtas_nvram_store() if len is equal
to zero, result of a cpu_physical_memory_map() will be NULL.
It will lead to NULL dereference, since return value using
without check. It could be avoided by making IF condition
more strict.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Oleg Sviridov <oleg.sviridov@red-soft.ru>
Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
---
hw/nvram/spapr_nvram.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/nvram/spapr_nvram.c b/hw/nvram/spapr_nvram.c
index bfd8aa367e..bf0a7d05df 100644
--- a/hw/nvram/spapr_nvram.c
+++ b/hw/nvram/spapr_nvram.c
@@ -79,7 +79,7 @@ static void rtas_nvram_fetch(PowerPCCPU *cpu, SpaprMachineState *spapr,
buffer = rtas_ld(args, 1);
len = rtas_ld(args, 2);
- if (((offset + len) < offset)
+ if (((offset + len) <= offset)
|| ((offset + len) > nvram->size)) {
rtas_st(rets, 0, RTAS_OUT_PARAM_ERROR);
rtas_st(rets, 1, 0);
@@ -120,7 +120,7 @@ static void rtas_nvram_store(PowerPCCPU *cpu, SpaprMachineState *spapr,
buffer = rtas_ld(args, 1);
len = rtas_ld(args, 2);
- if (((offset + len) < offset)
+ if (((offset + len) <= offset)
|| ((offset + len) > nvram->size)) {
rtas_st(rets, 0, RTAS_OUT_PARAM_ERROR);
return;
--
2.37.3