From: Nicholas Piggin <npiggin@gmail.com>
To: qemu-devel@nongnu.org
Cc: "Nicholas Piggin" <npiggin@gmail.com>,
qemu-ppc@nongnu.org, "Shivaprasad G Bhat" <sbhat@linux.ibm.com>,
"Cédric Le Goater" <clg@redhat.com>
Subject: [PULL 05/12] ppc/spapr: Fix possible pa_features memory overflow
Date: Fri, 21 Mar 2025 16:24:09 +1000 [thread overview]
Message-ID: <20250321062421.116129-6-npiggin@gmail.com> (raw)
In-Reply-To: <20250321062421.116129-1-npiggin@gmail.com>
Coverity reports a possible memory overflow in spapr_dt_pa_features().
This should not be a true bug since DAWR1 cap is only be true for
CPU_POWERPC_LOGICAL_3_10. Add an assertion to ensure any bug there is
caught.
Resolves: Coverity CID 1593722
Fixes: 5f361ea187ba ("ppc: spapr: Enable 2nd DAWR on Power10 pSeries machine")
Reviewed-By: Shivaprasad G Bhat <sbhat@linux.ibm.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
---
hw/ppc/spapr.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index a415e51d07..9865d7147f 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -296,6 +296,7 @@ static void spapr_dt_pa_features(SpaprMachineState *spapr,
pa_features[40 + 2] &= ~0x80; /* Radix MMU */
}
if (spapr_get_cap(spapr, SPAPR_CAP_DAWR1)) {
+ g_assert(pa_size > 66);
pa_features[66] |= 0x80;
}
--
2.47.1
next prev parent reply other threads:[~2025-03-21 6:26 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-21 6:24 [PULL 00/12] ppc-for-10.0-2 queue Nicholas Piggin
2025-03-21 6:24 ` [PULL 01/12] ppc/spapr: Fix RTAS stopped state Nicholas Piggin
2025-03-21 6:24 ` [PULL 02/12] ppc/xive: Fix typo in crowd block level calculation Nicholas Piggin
2025-03-21 6:24 ` [PULL 03/12] pnv/xive: Fix possible undefined shift error in group size calculation Nicholas Piggin
2025-03-21 6:24 ` [PULL 04/12] ppc/xive2: Fix logical / bitwise comparison typo Nicholas Piggin
2025-03-21 6:24 ` Nicholas Piggin [this message]
2025-03-21 6:24 ` [PULL 06/12] ppc/pnv: Move the PNOR LPC address into struct PnvPnor Nicholas Piggin
2025-03-21 6:24 ` [PULL 07/12] ppc/pnv: Fix system symbols in HOMER structure definitions Nicholas Piggin
2025-03-21 6:24 ` [PULL 08/12] ppc/amigaone: Check blk_pwrite return value Nicholas Piggin
2025-03-21 6:24 ` [PULL 09/12] ppc/amigaone: Constify default_env Nicholas Piggin
2025-03-21 6:24 ` [PULL 10/12] ppc/spapr: fix default cpu for pre-9.0 machines Nicholas Piggin
2025-03-21 6:24 ` [PULL 11/12] target/ppc: Fix facility interrupt checks for VSX Nicholas Piggin
2025-03-21 6:24 ` [PULL 12/12] target/ppc: Fix e200 duplicate SPRs Nicholas Piggin
2025-03-23 22:29 ` [PULL 00/12] ppc-for-10.0-2 queue Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250321062421.116129-6-npiggin@gmail.com \
--to=npiggin@gmail.com \
--cc=clg@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
--cc=sbhat@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.