1. Patchew
  2. QEMU
  3. [PULL 00/23] Functional tests and misc patches
  4. View patch

[PULL 04/23] system/physmem: Silence warning from ubsan

Thomas Huth posted 23 patches 2 weeks, 5 days ago
Maintainers: "Alex Bennée" <alex.bennee@linaro.org>, "Philippe Mathieu-Daudé" <philmd@linaro.org>, Thomas Huth <thuth@redhat.com>, Yonggang Luo <luoyonggang@gmail.com>, "Daniel P. Berrangé" <berrange@redhat.com>, Peter Maydell <peter.maydell@linaro.org>, Aurelien Jarno <aurelien@aurel32.net>, Paolo Bonzini <pbonzini@redhat.com>, "Marc-André Lureau" <marcandre.lureau@redhat.com>, Peter Xu <peterx@redhat.com>, David Hildenbrand <david@redhat.com>, "Cédric Le Goater" <clg@kaod.org>, Steven Lee <steven_lee@aspeedtech.com>, Troy Lee <leetroy@gmail.com>, Jamin Lin <jamin_lin@aspeedtech.com>, Andrew Jeffery <andrew@codeconstruct.com.au>, Joel Stanley <joel@jms.id.au>
[PULL 04/23] system/physmem: Silence warning from ubsan
Posted by Thomas Huth 2 weeks, 5 days ago 
From: Thomas Huth <thuth@redhat.com>

When compiling QEMU with --enable-ubsan there is a undefined behavior
warning when running the bios-tables-test for example:

 .../system/physmem.c:3243:13: runtime error: applying non-zero offset 262144 to null pointer
    #0 0x55ac1df5fbc4 in address_space_write_rom_internal .../system/physmem.c:3243:13

The problem is that buf is indeed NULL if the function is e.g. called
with type == FLUSH_CACHE. Add a check to fix the issue.

Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20250728172545.314178-1-thuth@redhat.com>
---
 system/physmem.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/system/physmem.c b/system/physmem.c
index f498572fc82..311011156c7 100644
--- a/system/physmem.c
+++ b/system/physmem.c
@@ -3231,8 +3231,10 @@ static inline MemTxResult address_space_write_rom_internal(AddressSpace *as,
             }
         }
         len -= l;
-        buf += l;
         addr += l;
+        if (buf) {
+            buf += l;
+        }
     }
     return MEMTX_OK;
 }
-- 
2.51.0
Re: [PULL 04/23] system/physmem: Silence warning from ubsan
Posted by Richard Henderson 1 week, 6 days ago 
On 9/9/25 06:51, Thomas Huth wrote:
> From: Thomas Huth <thuth@redhat.com>
> 
> When compiling QEMU with --enable-ubsan there is a undefined behavior
> warning when running the bios-tables-test for example:
> 
>   .../system/physmem.c:3243:13: runtime error: applying non-zero offset 262144 to null pointer
>      #0 0x55ac1df5fbc4 in address_space_write_rom_internal .../system/physmem.c:3243:13
> 
> The problem is that buf is indeed NULL if the function is e.g. called
> with type == FLUSH_CACHE. Add a check to fix the issue.
> 
> Reviewed-by: David Hildenbrand <david@redhat.com>
> Signed-off-by: Thomas Huth <thuth@redhat.com>
> Message-ID: <20250728172545.314178-1-thuth@redhat.com>
> ---
>   system/physmem.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/system/physmem.c b/system/physmem.c
> index f498572fc82..311011156c7 100644
> --- a/system/physmem.c
> +++ b/system/physmem.c
> @@ -3231,8 +3231,10 @@ static inline MemTxResult address_space_write_rom_internal(AddressSpace *as,
>               }
>           }
>           len -= l;
> -        buf += l;
>           addr += l;
> +        if (buf) {
> +            buf += l;
> +        }
>       }
>       return MEMTX_OK;
>   }

This has caused a new warning from Coverity:

Line 3224:
CID 1621220: (#1 of 1): Dereference after null check (FORWARD_NULL)
10. var_deref_model: Passing null pointer buf to memcpy, which dereferences it. [Note: The 
source code implementation of the function has been overridden by a builtin model.]

Line 3235:
5. var_compare_op: Comparing buf to null implies that buf might be null.

I think the best solution would be to split this function, so that the flush cache 
operation doesn't have the ptr argument at all.

An easy short-term solution could be to move the increment of buf into the WRITE_DATA case 
of the switch.


r~

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.