From: Halil Pasic <pasic@linux.ibm.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: qemu-devel@nongnu.org, qemu-s390x@nongnu.org,
Matthew Rosato <mjrosato@linux.ibm.com>,
Eric Farman <farman@linux.ibm.com>,
Thomas Huth <thuth@redhat.com>, Halil Pasic <pasic@linux.ibm.com>
Subject: Re: [PATCH] hw/s390x/s390-pci-bus.c: Use g_assert_not_reached() in functions taking an ett
Date: Thu, 10 Jul 2025 21:36:42 +0200 [thread overview]
Message-ID: <20250710213642.05b84fcb.pasic@linux.ibm.com> (raw)
In-Reply-To: <20250710161552.1287399-1-peter.maydell@linaro.org>
On Thu, 10 Jul 2025 17:15:52 +0100
Peter Maydell <peter.maydell@linaro.org> wrote:
> The s390-pci-bus.c code, Coverity complains about a possible overflow
> because get_table_index() can return -1 if the ett value passed in is
> not one of the three permitted ZPCI_ETT_PT, ZPCI_ETT_ST, ZPCI_ETT_RT,
> but the caller in table_translate() doesn't check this and instead
> uses the return value directly in a calculation of the guest address
> to read from.
>
> In fact this case cannot happen, because:
> * get_table_index() is called only from table_translate()
> * the only caller of table_translate() loops through the ett values
> in the order RT, ST, PT until table_translate() returns 0
> * table_translate() will return 0 for the error cases and when
> translate_iscomplete() returns true
> * translate_iscomplete() is always true for ZPCI_ETT_PT
>
> So table_translate() is always called with a valid ett value.
>
> Instead of having the various functions called from table_translate()
> return a default or dummy value when the ett argument is out of range,
> use g_assert_not_reached() to indicate that this is impossible.
>
> Coverity: CID 1547609
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
next prev parent reply other threads:[~2025-07-10 19:37 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-10 16:15 [PATCH] hw/s390x/s390-pci-bus.c: Use g_assert_not_reached() in functions taking an ett Peter Maydell
2025-07-10 19:36 ` Halil Pasic [this message]
2025-07-10 21:20 ` Matthew Rosato
2025-07-11 10:21 ` Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250710213642.05b84fcb.pasic@linux.ibm.com \
--to=pasic@linux.ibm.com \
--cc=farman@linux.ibm.com \
--cc=mjrosato@linux.ibm.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.