[Qemu-devel] [PATCH v2] coverity-model: model address_space

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH v2] coverity-model: model address_space_read/write
@ 2017-03-15  8:16 Paolo Bonzini
  2017-03-15 11:55 ` Eric Blake
  2017-03-15 13:01 ` Markus Armbruster
  0 siblings, 2 replies; 5+ messages in thread
From: Paolo Bonzini @ 2017-03-15  8:16 UTC (permalink / raw)
  To: qemu-devel; +Cc: armbru

Commit eb7eeb8 ("memory: split address_space_read and
address_space_write", 2015-12-17) made address_space_rw
dispatch to one of address_space_read or address_space_write,
rather than vice versa.

For callers of address_space_read and address_space_write this
causes false positive defects when Coverity sees a length-8 write in
address_space_read and a length-4 (e.g. int*) buffer to read into.
As long as the size of the buffer is okay, this is a false positive.

Reflect the code change into the model.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 scripts/coverity-model.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/scripts/coverity-model.c b/scripts/coverity-model.c
index ee5bf9d..c702804 100644
--- a/scripts/coverity-model.c
+++ b/scripts/coverity-model.c
@@ -67,18 +67,27 @@ static void __bufread(uint8_t *buf, ssize_t len)
     int last = buf[len-1];
 }
 
-MemTxResult address_space_rw(AddressSpace *as, hwaddr addr, MemTxAttrs attrs,
-                             uint8_t *buf, int len, bool is_write)
+MemTxResult address_space_read(AddressSpace *as, hwaddr addr,
+                               MemTxAttrs attrs,
+                               uint8_t *buf, int len)
 {
     MemTxResult result;
-
     // TODO: investigate impact of treating reads as producing
     // tainted data, with __coverity_tainted_data_argument__(buf).
-    if (is_write) __bufread(buf, len); else __bufwrite(buf, len);
+    __bufwrite(buf, len);
+    return result;
+}
 
+MemTxResult address_space_write(AddressSpace *as, hwaddr addr,
+                                MemTxAttrs attrs,
+                                const uint8_t *buf, int len)
+{
+    MemTxResult result;
+    __bufread(buf, len);
     return result;
 }
 
+
 /* Tainting */
 
 typedef struct {} name2keysym_t;
-- 
2.9.3

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [Qemu-devel] [PATCH v2] coverity-model: model address_space_read/write
  2017-03-15  8:16 [Qemu-devel] [PATCH v2] coverity-model: model address_space_read/write Paolo Bonzini
@ 2017-03-15 11:55 ` Eric Blake
  2017-03-15 11:58   ` Peter Maydell
  2017-03-15 13:01 ` Markus Armbruster
  1 sibling, 1 reply; 5+ messages in thread
From: Eric Blake @ 2017-03-15 11:55 UTC (permalink / raw)
  To: Paolo Bonzini, qemu-devel; +Cc: armbru

[-- Attachment #1: Type: text/plain, Size: 1995 bytes --]

On 03/15/2017 03:16 AM, Paolo Bonzini wrote:
> Commit eb7eeb8 ("memory: split address_space_read and
> address_space_write", 2015-12-17) made address_space_rw
> dispatch to one of address_space_read or address_space_write,
> rather than vice versa.
> 
> For callers of address_space_read and address_space_write this
> causes false positive defects when Coverity sees a length-8 write in
> address_space_read and a length-4 (e.g. int*) buffer to read into.
> As long as the size of the buffer is okay, this is a false positive.
> 
> Reflect the code change into the model.
> 
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
>  scripts/coverity-model.c | 17 +++++++++++++----
>  1 file changed, 13 insertions(+), 4 deletions(-)

> -MemTxResult address_space_rw(AddressSpace *as, hwaddr addr, MemTxAttrs attrs,
> -                             uint8_t *buf, int len, bool is_write)
> +MemTxResult address_space_read(AddressSpace *as, hwaddr addr,
> +                               MemTxAttrs attrs,
> +                               uint8_t *buf, int len)
>  {
>      MemTxResult result;
> -
>      // TODO: investigate impact of treating reads as producing
>      // tainted data, with __coverity_tainted_data_argument__(buf).
> -    if (is_write) __bufread(buf, len); else __bufwrite(buf, len);

Old code did __bufread for reads,

> +    __bufwrite(buf, len);

but the new does __bufwrite.

> +    return result;
> +}
>  
> +MemTxResult address_space_write(AddressSpace *as, hwaddr addr,
> +                                MemTxAttrs attrs,
> +                                const uint8_t *buf, int len)
> +{
> +    MemTxResult result;
> +    __bufread(buf, len);

And __bufread for writes.  Did you get this backwards?

>      return result;
>  }
>  
> +
>  /* Tainting */
>  
>  typedef struct {} name2keysym_t;
> 

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Qemu-devel] [PATCH v2] coverity-model: model address_space_read/write
  2017-03-15 11:55 ` Eric Blake
@ 2017-03-15 11:58   ` Peter Maydell
  2017-03-15 12:19     ` Eric Blake
  0 siblings, 1 reply; 5+ messages in thread
From: Peter Maydell @ 2017-03-15 11:58 UTC (permalink / raw)
  To: Eric Blake; +Cc: Paolo Bonzini, QEMU Developers, Markus Armbruster

On 15 March 2017 at 11:55, Eric Blake <eblake@redhat.com> wrote:
> On 03/15/2017 03:16 AM, Paolo Bonzini wrote:
>> -MemTxResult address_space_rw(AddressSpace *as, hwaddr addr, MemTxAttrs attrs,
>> -                             uint8_t *buf, int len, bool is_write)
>> +MemTxResult address_space_read(AddressSpace *as, hwaddr addr,
>> +                               MemTxAttrs attrs,
>> +                               uint8_t *buf, int len)
>>  {
>>      MemTxResult result;
>> -
>>      // TODO: investigate impact of treating reads as producing
>>      // tainted data, with __coverity_tainted_data_argument__(buf).
>> -    if (is_write) __bufread(buf, len); else __bufwrite(buf, len);
>
> Old code did __bufread for reads,

Eh? for a read is_write is false, and we use the else clause,
which is __bufwrite...

thanks
-- PMM

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Qemu-devel] [PATCH v2] coverity-model: model address_space_read/write
  2017-03-15 11:58   ` Peter Maydell
@ 2017-03-15 12:19     ` Eric Blake
  0 siblings, 0 replies; 5+ messages in thread
From: Eric Blake @ 2017-03-15 12:19 UTC (permalink / raw)
  To: Peter Maydell; +Cc: Paolo Bonzini, QEMU Developers, Markus Armbruster

[-- Attachment #1: Type: text/plain, Size: 1627 bytes --]

On 03/15/2017 06:58 AM, Peter Maydell wrote:
> On 15 March 2017 at 11:55, Eric Blake <eblake@redhat.com> wrote:
>> On 03/15/2017 03:16 AM, Paolo Bonzini wrote:
>>> -MemTxResult address_space_rw(AddressSpace *as, hwaddr addr, MemTxAttrs attrs,
>>> -                             uint8_t *buf, int len, bool is_write)
>>> +MemTxResult address_space_read(AddressSpace *as, hwaddr addr,
>>> +                               MemTxAttrs attrs,
>>> +                               uint8_t *buf, int len)
>>>  {
>>>      MemTxResult result;
>>> -
>>>      // TODO: investigate impact of treating reads as producing
>>>      // tainted data, with __coverity_tainted_data_argument__(buf).
>>> -    if (is_write) __bufread(buf, len); else __bufwrite(buf, len);
>>
>> Old code did __bufread for reads,
> 
> Eh? for a read is_write is false, and we use the else clause,
> which is __bufwrite...

Maybe I shouldn't send emails when I've just woken up? It threw me that
we have a function named 'read' relying on coverity's 'write' - but
you're correct that it has always been that way, and thinking about it
more, what is really happening is:

our function named 'read' is emulating getting data from hardware (the
'read' portion) and copying it into the buffer (the 'write' portion);
the Coverity model needs to know about the effects to the buffer, but
could care less about the hardware emulation side.

Okay, you've straightened me out, so I can give:
Reviewed-by: Eric Blake <eblake@redhat.com>

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Qemu-devel] [PATCH v2] coverity-model: model address_space_read/write
  2017-03-15  8:16 [Qemu-devel] [PATCH v2] coverity-model: model address_space_read/write Paolo Bonzini
  2017-03-15 11:55 ` Eric Blake
@ 2017-03-15 13:01 ` Markus Armbruster
  1 sibling, 0 replies; 5+ messages in thread
From: Markus Armbruster @ 2017-03-15 13:01 UTC (permalink / raw)
  To: Paolo Bonzini; +Cc: qemu-devel

Paolo Bonzini <pbonzini@redhat.com> writes:

> Commit eb7eeb8 ("memory: split address_space_read and
> address_space_write", 2015-12-17) made address_space_rw
> dispatch to one of address_space_read or address_space_write,
> rather than vice versa.
>
> For callers of address_space_read and address_space_write this
> causes false positive defects when Coverity sees a length-8 write in
> address_space_read and a length-4 (e.g. int*) buffer to read into.
> As long as the size of the buffer is okay, this is a false positive.
>
> Reflect the code change into the model.
>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Reviewed-by: Markus Armbruster <armbru@redhat.com>

Expect a pull request shortly.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2017-03-15 13:01 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-03-15  8:16 [Qemu-devel] [PATCH v2] coverity-model: model address_space_read/write Paolo Bonzini
2017-03-15 11:55 ` Eric Blake
2017-03-15 11:58   ` Peter Maydell
2017-03-15 12:19     ` Eric Blake
2017-03-15 13:01 ` Markus Armbruster

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).