From: Greg Kurz <groug@kaod.org>
To: David Gibson <david@gibson.dropbear.id.au>
Cc: "Peter Maydell" <peter.maydell@linaro.org>,
groug@kaod.org, "Cédric Le Goater" <clg@kaod.org>,
"Laurent Vivier" <lvivier@redhat.com>,
"QEMU Developers" <qemu-devel@nongnu.org>,
qemu-ppc <qemu-ppc@nongnu.org>
Subject: Re: [Qemu-devel] [PULL 30/50] spapr: Generate FDT fragment for LMBs at configure connector time
Date: Mon, 11 Mar 2019 10:40:25 +0100 [thread overview]
Message-ID: <20190311104025.1e62250a@bahia.lan> (raw)
In-Reply-To: <20190306031622.GI19715@umbus.fritz.box>
[-- Attachment #1: Type: text/plain, Size: 2820 bytes --]
Hi,
Just back from vacation.
On Wed, 6 Mar 2019 14:16:23 +1100
David Gibson <david@gibson.dropbear.id.au> wrote:
> On Tue, Mar 05, 2019 at 04:10:20PM +0000, Peter Maydell wrote:
> > On Tue, 26 Feb 2019 at 04:53, David Gibson <david@gibson.dropbear.id.au> wrote:
> > >
> > > From: Greg Kurz <groug@kaod.org>
> >
> >
> > Hi -- Coverity points out a possible overflow here (CID 1399145):
> >
> > > diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
> > > index 00eb3b643c..b92deee771 100644
> > > --- a/hw/ppc/spapr.c
> > > +++ b/hw/ppc/spapr.c
> > > @@ -3333,14 +3333,26 @@ static void spapr_nmi(NMIState *n, int cpu_index, Error **errp)
> > > }
> > > }
> > >
> > > +int spapr_lmb_dt_populate(sPAPRDRConnector *drc, sPAPRMachineState *spapr,
> > > + void *fdt, int *fdt_start_offset, Error **errp)
> > > +{
> > > + uint64_t addr;
> > > + uint32_t node;
> > > +
> > > + addr = spapr_drc_index(drc) * SPAPR_MEMORY_BLOCK_SIZE;
> >
> > This multiplication is done as a 32x32, which might overflow and
> > be truncated before the result is put into the 64-bit result.
> > Casting one side or the other to uint64_t would fix this.
>
Oops... I missed that :-\
> I've applied the following fix to my tree and will include it in the
> next pull request:
>
> From 07d93b239203f4fb655e42f6a8a194a4f9eb40a2 Mon Sep 17 00:00:00 2001
> From: David Gibson <david@gibson.dropbear.id.au>
> Date: Wed, 6 Mar 2019 14:15:26 +1100
> Subject: [PATCH] spapr: Force SPAPR_MEMORY_BLOCK_SIZE to be a hwaddr (64-bit)
>
> SPAPR_MEMORY_BLOCK_SIZE is logically a difference in memory addresses, and
> hence of type hwaddr which is 64-bit. Previously it wasn't marked as such
> which means that it could be treated as 32-bit. That will work in some
> circumstances but if multiplied by another 32-bit value it could lead to
> a 32-bit overflow and an incorrect result.
>
> One specific instance of this in spapr_lmb_dt_populate() was spotted by
> Coverity (CID 1399145).
>
> Reported-by: Peter Maydell <peter.maydell@linaro.org>
> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> ---
Thanks for the fix :-)
> include/hw/ppc/spapr.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
> index ff1bd60615..1311ebe28e 100644
> --- a/include/hw/ppc/spapr.h
> +++ b/include/hw/ppc/spapr.h
> @@ -792,7 +792,7 @@ int spapr_rtc_import_offset(sPAPRRTCState *rtc, int64_t legacy_offset);
>
> #define TYPE_SPAPR_RNG "spapr-rng"
>
> -#define SPAPR_MEMORY_BLOCK_SIZE (1 << 28) /* 256MB */
> +#define SPAPR_MEMORY_BLOCK_SIZE ((hwaddr)1 << 28) /* 256MB */
>
> /*
> * This defines the maximum number of DIMM slots we can have for sPAPR
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2019-03-11 9:40 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-26 4:52 [Qemu-devel] [PULL 00/50] ppc-for-4.0 queue 20190226 David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 01/50] target/ppc: Fix nip on power management instructions David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 02/50] target/ppc: Don't clobber MSR:EE on PM instructions David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 03/50] target/ppc: Fix support for "STOP light" states on POWER9 David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 04/50] target/ppc: Move "wakeup reset" code to a separate function David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 05/50] target/ppc: Rename "in_pm_state" to "resume_as_sreset" David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 06/50] target/ppc: Add POWER9 exception model David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 07/50] target/ppc: Detect erroneous condition in interrupt delivery David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 08/50] target/ppc: Add Hypervisor Virtualization Interrupt on POWER9 David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 09/50] target/ppc: Add POWER9 external interrupt model David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 10/50] target/ppc: Add support for LPCR:HEIC on POWER9 David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 11/50] ppc: add host-serial and host-model machine attributes (CVE-2019-8934) David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 12/50] cpus: Properly release the iothread lock when killing a dummy VCPU David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 13/50] spapr: support memory unplug for qtest David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 14/50] tests/device-plug: Add a simple PCI unplug request test David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 15/50] tests/device-plug: Add CCW unplug test for s390x David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 16/50] tests/device-plug: Add CPU core unplug request test for spapr David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 17/50] tests/device-plug: Add memory " David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 18/50] target/ppc/spapr: Set LPCR:HR when using Radix mode David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 19/50] target/ppc/mmu: Use LPCR:HR to chose radix vs. hash translation David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 20/50] target/ppc: Re-enable RMLS on POWER9 for virtual hypervisors David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 21/50] target/ppc: Fix #include guard in mmu-book3s-v3.h David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 22/50] target/ppc: Fix ordering of hash MMU accesses David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 23/50] target/ppc: Add basic support for "new format" HPTE as found on POWER9 David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 24/50] target/ppc: Fix synchronization of mttcg with broadcast TLB flushes David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 25/50] target/ppc: Flush the TLB locally when the LPIDR is written David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 26/50] target/ppc: Rename PATB/PATBE -> PATE David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 27/50] target/ppc: Support for POWER9 native hash David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 28/50] target/ppc: Basic POWER9 bare-metal radix MMU support David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 29/50] spapr_drc: Allow FDT fragment to be added later David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 30/50] spapr: Generate FDT fragment for LMBs at configure connector time David Gibson
2019-03-05 16:10 ` Peter Maydell
2019-03-06 3:16 ` David Gibson
2019-03-11 9:40 ` Greg Kurz [this message]
2019-02-26 4:52 ` [Qemu-devel] [PULL 31/50] spapr: Generate FDT fragment for CPUs " David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 32/50] spapr/pci: Generate FDT fragment " David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 33/50] spapr/drc: Drop spapr_drc_attach() fdt argument David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 34/50] xics: Write source state to KVM at claim time David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 35/50] spapr: Expose the name of the interrupt controller node David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 36/50] spapr_irq: Expose the phandle of the interrupt controller David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 37/50] spapr_pci: add PHB unrealize David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 38/50] spapr: create DR connectors for PHBs David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 39/50] spapr: populate PHB DRC entries for root DT node David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 40/50] spapr_events: add support for phb hotplug events David Gibson
2019-02-28 18:40 ` Thomas Huth
2019-03-01 1:31 ` Michael Roth
2019-03-01 10:30 ` David Hildenbrand
2019-03-01 10:48 ` Greg Kurz
2019-03-01 10:49 ` Thomas Huth
2019-03-01 12:22 ` Greg Kurz
2019-02-26 4:52 ` [Qemu-devel] [PULL 41/50] spapr_pci: provide node start offset via spapr_populate_pci_dt() David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 42/50] spapr_pci: add ibm, my-drc-index property for PHB hotplug David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 43/50] spapr: add hotplug hooks " David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 44/50] spapr: enable PHB hotplug for default pseries machine type David Gibson
2019-02-26 4:52 ` [Qemu-devel] [PULL 45/50] tests/device-plug: Add PHB unplug request test for spapr David Gibson
2019-02-26 4:53 ` [Qemu-devel] [PULL 46/50] ppc/xive: xive does not have a POWER7 interrupt model David Gibson
2019-02-26 4:53 ` [Qemu-devel] [PULL 47/50] hw/ppc: Use object_initialize_child for correct reference counting David Gibson
2019-02-26 4:53 ` [Qemu-devel] [PULL 48/50] ppc/pnv: increase kernel size limit to 256MiB David Gibson
2019-02-26 4:53 ` [Qemu-devel] [PULL 49/50] ppc/pnv: add INITRD_MAX_SIZE constant David Gibson
2019-02-26 4:53 ` [Qemu-devel] [PULL 50/50] ppc/pnv: use IEC binary prefixes to represent sizes David Gibson
2019-02-28 11:13 ` [Qemu-devel] [PULL 00/50] ppc-for-4.0 queue 20190226 Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190311104025.1e62250a@bahia.lan \
--to=groug@kaod.org \
--cc=clg@kaod.org \
--cc=david@gibson.dropbear.id.au \
--cc=lvivier@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).