blk_getlength() returns an int64_t but the result is stored in a
uint32_t. Errors (negative values) won't be caught by the check in
pnv_pnor_realize() and blk_blockalign() will allocate a very large
buffer in such cases.
Fixes Coverity issue CID 1412226.
Signed-off-by: Cédric Le Goater <clg@kaod.org>
---
include/hw/ppc/pnv_pnor.h | 2 +-
hw/ppc/pnv_pnor.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/hw/ppc/pnv_pnor.h b/include/hw/ppc/pnv_pnor.h
index c3dd28643cae..4f96abdfb402 100644
--- a/include/hw/ppc/pnv_pnor.h
+++ b/include/hw/ppc/pnv_pnor.h
@@ -23,7 +23,7 @@ typedef struct PnvPnor {
BlockBackend *blk;
uint8_t *storage;
- uint32_t size;
+ int64_t size;
MemoryRegion mmio;
} PnvPnor;
diff --git a/hw/ppc/pnv_pnor.c b/hw/ppc/pnv_pnor.c
index 0e86ae2feae6..b061106d1c0c 100644
--- a/hw/ppc/pnv_pnor.c
+++ b/hw/ppc/pnv_pnor.c
@@ -111,7 +111,7 @@ static void pnv_pnor_realize(DeviceState *dev, Error **errp)
}
static Property pnv_pnor_properties[] = {
- DEFINE_PROP_UINT32("size", PnvPnor, size, 128 << 20),
+ DEFINE_PROP_INT64("size", PnvPnor, size, 128 << 20),
DEFINE_PROP_DRIVE("drive", PnvPnor, blk),
DEFINE_PROP_END_OF_LIST(),
};
--
2.21.1
On Tue, Jan 07, 2020 at 06:18:09PM +0100, Cédric Le Goater wrote:
> blk_getlength() returns an int64_t but the result is stored in a
> uint32_t. Errors (negative values) won't be caught by the check in
> pnv_pnor_realize() and blk_blockalign() will allocate a very large
> buffer in such cases.
>
> Fixes Coverity issue CID 1412226.
>
> Signed-off-by: Cédric Le Goater <clg@kaod.org>
Applied to ppc-for-5.0.
> ---
> include/hw/ppc/pnv_pnor.h | 2 +-
> hw/ppc/pnv_pnor.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/include/hw/ppc/pnv_pnor.h b/include/hw/ppc/pnv_pnor.h
> index c3dd28643cae..4f96abdfb402 100644
> --- a/include/hw/ppc/pnv_pnor.h
> +++ b/include/hw/ppc/pnv_pnor.h
> @@ -23,7 +23,7 @@ typedef struct PnvPnor {
> BlockBackend *blk;
>
> uint8_t *storage;
> - uint32_t size;
> + int64_t size;
> MemoryRegion mmio;
> } PnvPnor;
>
> diff --git a/hw/ppc/pnv_pnor.c b/hw/ppc/pnv_pnor.c
> index 0e86ae2feae6..b061106d1c0c 100644
> --- a/hw/ppc/pnv_pnor.c
> +++ b/hw/ppc/pnv_pnor.c
> @@ -111,7 +111,7 @@ static void pnv_pnor_realize(DeviceState *dev, Error **errp)
> }
>
> static Property pnv_pnor_properties[] = {
> - DEFINE_PROP_UINT32("size", PnvPnor, size, 128 << 20),
> + DEFINE_PROP_INT64("size", PnvPnor, size, 128 << 20),
> DEFINE_PROP_DRIVE("drive", PnvPnor, blk),
> DEFINE_PROP_END_OF_LIST(),
> };
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
On 1/7/20 6:18 PM, Cédric Le Goater wrote:
> blk_getlength() returns an int64_t but the result is stored in a
> uint32_t. Errors (negative values) won't be caught by the check in
> pnv_pnor_realize() and blk_blockalign() will allocate a very large
> buffer in such cases.
>
> Fixes Coverity issue CID 1412226.
>
> Signed-off-by: Cédric Le Goater <clg@kaod.org>
> ---
> include/hw/ppc/pnv_pnor.h | 2 +-
> hw/ppc/pnv_pnor.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/include/hw/ppc/pnv_pnor.h b/include/hw/ppc/pnv_pnor.h
> index c3dd28643cae..4f96abdfb402 100644
> --- a/include/hw/ppc/pnv_pnor.h
> +++ b/include/hw/ppc/pnv_pnor.h
> @@ -23,7 +23,7 @@ typedef struct PnvPnor {
> BlockBackend *blk;
>
> uint8_t *storage;
> - uint32_t size;
> + int64_t size;
> MemoryRegion mmio;
> } PnvPnor;
>
> diff --git a/hw/ppc/pnv_pnor.c b/hw/ppc/pnv_pnor.c
> index 0e86ae2feae6..b061106d1c0c 100644
> --- a/hw/ppc/pnv_pnor.c
> +++ b/hw/ppc/pnv_pnor.c
> @@ -111,7 +111,7 @@ static void pnv_pnor_realize(DeviceState *dev, Error **errp)
> }
>
> static Property pnv_pnor_properties[] = {
> - DEFINE_PROP_UINT32("size", PnvPnor, size, 128 << 20),
> + DEFINE_PROP_INT64("size", PnvPnor, size, 128 << 20),
If you respin the series please consider using '128 * MiB' here.
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> DEFINE_PROP_DRIVE("drive", PnvPnor, blk),
> DEFINE_PROP_END_OF_LIST(),
> };
>
On Tue, 7 Jan 2020 18:18:09 +0100
Cédric Le Goater <clg@kaod.org> wrote:
> blk_getlength() returns an int64_t but the result is stored in a
> uint32_t. Errors (negative values) won't be caught by the check in
> pnv_pnor_realize() and blk_blockalign() will allocate a very large
> buffer in such cases.
>
> Fixes Coverity issue CID 1412226.
>
> Signed-off-by: Cédric Le Goater <clg@kaod.org>
> ---
Reviewed-by: Greg Kurz <groug@kaod.org>
> include/hw/ppc/pnv_pnor.h | 2 +-
> hw/ppc/pnv_pnor.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/include/hw/ppc/pnv_pnor.h b/include/hw/ppc/pnv_pnor.h
> index c3dd28643cae..4f96abdfb402 100644
> --- a/include/hw/ppc/pnv_pnor.h
> +++ b/include/hw/ppc/pnv_pnor.h
> @@ -23,7 +23,7 @@ typedef struct PnvPnor {
> BlockBackend *blk;
>
> uint8_t *storage;
> - uint32_t size;
> + int64_t size;
> MemoryRegion mmio;
> } PnvPnor;
>
> diff --git a/hw/ppc/pnv_pnor.c b/hw/ppc/pnv_pnor.c
> index 0e86ae2feae6..b061106d1c0c 100644
> --- a/hw/ppc/pnv_pnor.c
> +++ b/hw/ppc/pnv_pnor.c
> @@ -111,7 +111,7 @@ static void pnv_pnor_realize(DeviceState *dev, Error **errp)
> }
>
> static Property pnv_pnor_properties[] = {
> - DEFINE_PROP_UINT32("size", PnvPnor, size, 128 << 20),
> + DEFINE_PROP_INT64("size", PnvPnor, size, 128 << 20),
> DEFINE_PROP_DRIVE("drive", PnvPnor, blk),
> DEFINE_PROP_END_OF_LIST(),
> };
© 2016 - 2026 Red Hat, Inc.