[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PULL 22/33] spapr: Implement Open Firmware client interface
From: |
Peter Maydell |
Subject: |
Re: [PULL 22/33] spapr: Implement Open Firmware client interface |
Date: |
Tue, 13 Jul 2021 12:01:23 +0100 |
On Fri, 9 Jul 2021 at 06:17, David Gibson <david@gibson.dropbear.id.au> wrote:
>
> From: Alexey Kardashevskiy <aik@ozlabs.ru>
>
> The PAPR platform describes an OS environment that's presented by
> a combination of a hypervisor and firmware. The features it specifies
> require collaboration between the firmware and the hypervisor.
Hi; Coverity reports issues in this code:
> +static uint32_t vof_package_to_path(const void *fdt, uint32_t phandle,
> + uint32_t buf, uint32_t len)
> +{
> + uint32_t ret = -1;
Here we declare 'ret' as an unsigned type...
> + char tmp[VOF_MAX_PATH] = "";
> +
> + ret = phandle_to_path(fdt, phandle, tmp, sizeof(tmp));
> + if (ret > 0) {
...so this is doing an unsigned comparison, which means that
the negative values returned from phandle_to_path() (whose return
type is 'int') will not be detected (viewed as unsigned values
they will all be positive and >2GB).
> + if (VOF_MEM_WRITE(buf, tmp, ret) != MEMTX_OK) {
This then means that we will attempt to write >2GB of data here...
> + ret = -1;
> + }
> + }
> +
> + trace_vof_package_to_path(phandle, tmp, ret);
> +
> + return ret;
> +}
> +
> +static uint32_t vof_instance_to_path(void *fdt, Vof *vof, uint32_t ihandle,
> + uint32_t buf, uint32_t len)
> +{
> + uint32_t ret = -1;
> + uint32_t phandle = vof_instance_to_package(vof, ihandle);
> + char tmp[VOF_MAX_PATH] = "";
> +
> + if (phandle != -1) {
> + ret = phandle_to_path(fdt, phandle, tmp, sizeof(tmp));
> + if (ret > 0) {
This function has the same problem.
> + if (VOF_MEM_WRITE(buf, tmp, ret) != MEMTX_OK) {
> + ret = -1;
> + }
> + }
> + }
> + trace_vof_instance_to_path(ihandle, phandle, tmp, ret);
> +
> + return ret;
> +}
thanks
-- PMM
- [PULL 12/33] target/ppc: Restrict ppc_cpu_tlb_fill to TCG, (continued)
- [PULL 12/33] target/ppc: Restrict ppc_cpu_tlb_fill to TCG, David Gibson, 2021/07/09
- [PULL 13/33] target/ppc: Fix compilation with DUMP_PAGE_TABLES debug option, David Gibson, 2021/07/09
- [PULL 14/33] target/ppc: Fix compilation with FLUSH_ALL_TLBS debug option, David Gibson, 2021/07/09
- [PULL 18/33] target/ppc: introduce mmu-books.h, David Gibson, 2021/07/09
- [PULL 17/33] target/ppc: changed ppc_hash64_xlate to use mmu_idx, David Gibson, 2021/07/09
- [PULL 21/33] docs/system: ppc: Update ppce500 documentation with eTSEC support, David Gibson, 2021/07/09
- [PULL 19/33] target/ppc: change ppc_hash32_xlate to use mmu_idx, David Gibson, 2021/07/09
- [PULL 16/33] target/ppc: fix address translation bug for radix mmus, David Gibson, 2021/07/09
- [PULL 25/33] target/ppc: Allow virtual hypervisor on CPU without HV, David Gibson, 2021/07/09
- [PULL 22/33] spapr: Implement Open Firmware client interface, David Gibson, 2021/07/09
- [PULL 26/33] target/ppc/spapr: Update H_GET_CPU_CHARACTERISTICS L1D cache flush bits, David Gibson, 2021/07/09
- [PULL 24/33] ppc/pegasos2: Introduce Pegasos2MachineState structure, David Gibson, 2021/07/09
- [PULL 28/33] ppc/pegasos2: Fix use of && instead of &, David Gibson, 2021/07/09
- [PULL 20/33] roms/u-boot: Bump ppce500 u-boot to v2021.07 to add eTSEC support, David Gibson, 2021/07/09
- [PULL 27/33] ppc/pegasos2: Use Virtual Open Firmware as firmware replacement, David Gibson, 2021/07/09
- [PULL 30/33] target/ppc: Don't compile ppc_tlb_invalid_all without TCG, David Gibson, 2021/07/09
- [PULL 29/33] ppc/pegasos2: Implement some RTAS functions with VOF, David Gibson, 2021/07/09
- [PULL 32/33] linux-headers: Update, David Gibson, 2021/07/09
- [PULL 33/33] target/ppc: Support for H_RPT_INVALIDATE hcall, David Gibson, 2021/07/09