From: David Gibson <david@gibson.dropbear.id.au>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: gkurz@kaod.org, "Cédric Le Goater" <clg@kaod.org>,
"Laurent Vivier" <lvivier@redhat.com>,
"QEMU Developers" <qemu-devel@nongnu.org>,
qemu-ppc <qemu-ppc@nongnu.org>, "Greg Kurz" <groug@kaod.org>
Subject: Re: [Qemu-devel] [PULL 30/50] spapr: Generate FDT fragment for LMBs at configure connector time
Date: Wed, 6 Mar 2019 14:16:23 +1100 [thread overview]
Message-ID: <20190306031622.GI19715@umbus.fritz.box> (raw)
In-Reply-To: <CAFEAcA_S+Sq_5fMbVvXnSLsWzzVxKYA2zs8QH02H_xAAb+1+kA@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2707 bytes --]
On Tue, Mar 05, 2019 at 04:10:20PM +0000, Peter Maydell wrote:
> On Tue, 26 Feb 2019 at 04:53, David Gibson <david@gibson.dropbear.id.au> wrote:
> >
> > From: Greg Kurz <groug@kaod.org>
>
>
> Hi -- Coverity points out a possible overflow here (CID 1399145):
>
> > diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
> > index 00eb3b643c..b92deee771 100644
> > --- a/hw/ppc/spapr.c
> > +++ b/hw/ppc/spapr.c
> > @@ -3333,14 +3333,26 @@ static void spapr_nmi(NMIState *n, int cpu_index, Error **errp)
> > }
> > }
> >
> > +int spapr_lmb_dt_populate(sPAPRDRConnector *drc, sPAPRMachineState *spapr,
> > + void *fdt, int *fdt_start_offset, Error **errp)
> > +{
> > + uint64_t addr;
> > + uint32_t node;
> > +
> > + addr = spapr_drc_index(drc) * SPAPR_MEMORY_BLOCK_SIZE;
>
> This multiplication is done as a 32x32, which might overflow and
> be truncated before the result is put into the 64-bit result.
> Casting one side or the other to uint64_t would fix this.
I've applied the following fix to my tree and will include it in the
next pull request:
From 07d93b239203f4fb655e42f6a8a194a4f9eb40a2 Mon Sep 17 00:00:00 2001
From: David Gibson <david@gibson.dropbear.id.au>
Date: Wed, 6 Mar 2019 14:15:26 +1100
Subject: [PATCH] spapr: Force SPAPR_MEMORY_BLOCK_SIZE to be a hwaddr (64-bit)
SPAPR_MEMORY_BLOCK_SIZE is logically a difference in memory addresses, and
hence of type hwaddr which is 64-bit. Previously it wasn't marked as such
which means that it could be treated as 32-bit. That will work in some
circumstances but if multiplied by another 32-bit value it could lead to
a 32-bit overflow and an incorrect result.
One specific instance of this in spapr_lmb_dt_populate() was spotted by
Coverity (CID 1399145).
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
include/hw/ppc/spapr.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
index ff1bd60615..1311ebe28e 100644
--- a/include/hw/ppc/spapr.h
+++ b/include/hw/ppc/spapr.h
@@ -792,7 +792,7 @@ int spapr_rtc_import_offset(sPAPRRTCState *rtc, int64_t legacy_offset);
#define TYPE_SPAPR_RNG "spapr-rng"
-#define SPAPR_MEMORY_BLOCK_SIZE (1 << 28) /* 256MB */
+#define SPAPR_MEMORY_BLOCK_SIZE ((hwaddr)1 << 28) /* 256MB */
/*
* This defines the maximum number of DIMM slots we can have for sPAPR
--
2.20.1
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2019-03-06 3:35 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-26 4:52 [Qemu-devel] [PULL 00/50] ppc-for-4.0 queue 20190226 David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 01/50] target/ppc: Fix nip on power management instructions David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 02/50] target/ppc: Don't clobber MSR:EE on PM instructions David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 03/50] target/ppc: Fix support for "STOP light" states on POWER9 David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 04/50] target/ppc: Move "wakeup reset" code to a separate function David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 05/50] target/ppc: Rename "in_pm_state" to "resume_as_sreset" David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 06/50] target/ppc: Add POWER9 exception model David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 07/50] target/ppc: Detect erroneous condition in interrupt delivery David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 08/50] target/ppc: Add Hypervisor Virtualization Interrupt on POWER9 David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 09/50] target/ppc: Add POWER9 external interrupt model David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 10/50] target/ppc: Add support for LPCR:HEIC on POWER9 David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 11/50] ppc: add host-serial and host-model machine attributes (CVE-2019-8934) David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 12/50] cpus: Properly release the iothread lock when killing a dummy VCPU David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 13/50] spapr: support memory unplug for qtest David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 14/50] tests/device-plug: Add a simple PCI unplug request test David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 15/50] tests/device-plug: Add CCW unplug test for s390x David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 16/50] tests/device-plug: Add CPU core unplug request test for spapr David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 17/50] tests/device-plug: Add memory " David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 18/50] target/ppc/spapr: Set LPCR:HR when using Radix mode David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 19/50] target/ppc/mmu: Use LPCR:HR to chose radix vs. hash translation David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 20/50] target/ppc: Re-enable RMLS on POWER9 for virtual hypervisors David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 21/50] target/ppc: Fix #include guard in mmu-book3s-v3.h David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 22/50] target/ppc: Fix ordering of hash MMU accesses David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 23/50] target/ppc: Add basic support for "new format" HPTE as found on POWER9 David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 24/50] target/ppc: Fix synchronization of mttcg with broadcast TLB flushes David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 25/50] target/ppc: Flush the TLB locally when the LPIDR is written David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 26/50] target/ppc: Rename PATB/PATBE -> PATE David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 27/50] target/ppc: Support for POWER9 native hash David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 28/50] target/ppc: Basic POWER9 bare-metal radix MMU support David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 29/50] spapr_drc: Allow FDT fragment to be added later David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 30/50] spapr: Generate FDT fragment for LMBs at configure connector time David Gibson
2019-03-05 16:10 ` Peter Maydell
2019-03-06 3:16 ` David Gibson [this message]
2019-03-11 9:40 ` Greg Kurz
2019-02-26 4:52 ` [Qemu-devel] [PULL 31/50] spapr: Generate FDT fragment for CPUs " David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 32/50] spapr/pci: Generate FDT fragment " David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 33/50] spapr/drc: Drop spapr_drc_attach() fdt argument David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 34/50] xics: Write source state to KVM at claim time David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 35/50] spapr: Expose the name of the interrupt controller node David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 36/50] spapr_irq: Expose the phandle of the interrupt controller David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 37/50] spapr_pci: add PHB unrealize David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 38/50] spapr: create DR connectors for PHBs David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 39/50] spapr: populate PHB DRC entries for root DT node David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 40/50] spapr_events: add support for phb hotplug events David Gibson
2019-02-28 18:40 ` Thomas Huth
2019-03-01 1:31 ` Michael Roth
2019-03-01 10:30 ` David Hildenbrand
2019-03-01 10:48 ` Greg Kurz
2019-03-01 10:49 ` Thomas Huth
2019-03-01 12:22 ` Greg Kurz
2019-02-26 4:52 ` [Qemu-devel] [PULL 41/50] spapr_pci: provide node start offset via spapr_populate_pci_dt() David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 42/50] spapr_pci: add ibm, my-drc-index property for PHB hotplug David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 43/50] spapr: add hotplug hooks " David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 44/50] spapr: enable PHB hotplug for default pseries machine type David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 45/50] tests/device-plug: Add PHB unplug request test for spapr David Gibson
2019-02-26 4:53 ` [Qemu-devel] [PULL 46/50] ppc/xive: xive does not have a POWER7 interrupt model David Gibson
2019-02-26 4:53 ` [Qemu-devel] [PULL 47/50] hw/ppc: Use object_initialize_child for correct reference counting David Gibson
2019-02-26 4:53 ` [Qemu-devel] [PULL 48/50] ppc/pnv: increase kernel size limit to 256MiB David Gibson
2019-02-26 4:53 ` [Qemu-devel] [PULL 49/50] ppc/pnv: add INITRD_MAX_SIZE constant David Gibson
2019-02-26 4:53 ` [Qemu-devel] [PULL 50/50] ppc/pnv: use IEC binary prefixes to represent sizes David Gibson
2019-02-28 11:13 ` [Qemu-devel] [PULL 00/50] ppc-for-4.0 queue 20190226 Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190306031622.GI19715@umbus.fritz.box \
--to=david@gibson.dropbear.id.au \
--cc=clg@kaod.org \
--cc=gkurz@kaod.org \
--cc=groug@kaod.org \
--cc=lvivier@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).