[PATCH-for-5.2] hw/arm/smmuv3: Fix potential integer overflow (CID 1432363)

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [PATCH-for-5.2] hw/arm/smmuv3: Fix potential integer overflow (CID 1432363)
@ 2020-10-30 14:46 Philippe Mathieu-Daudé
  2020-10-30 15:04 ` Philippe Mathieu-Daudé
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-10-30 14:46 UTC (permalink / raw)
  To: qemu-devel
  Cc: Eric Auger, qemu-arm, Philippe Mathieu-Daudé, Peter Maydell

Use the BIT_ULL() macro to ensure we use 64-bit arithmetic.
This fixes the following Coverity issue (OVERFLOW_BEFORE_WIDEN):

  CID 1432363 (#1 of 1): Unintentional integer overflow:

  overflow_before_widen:
    Potentially overflowing expression 1 << scale with type int
    (32 bits, signed) is evaluated using 32-bit arithmetic, and
    then used in a context that expects an expression of type
    hwaddr (64 bits, unsigned).

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
 hw/arm/smmuv3.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index 2017ba7a5a7..22607c37841 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -17,6 +17,7 @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu/bitops.h"
 #include "hw/irq.h"
 #include "hw/sysbus.h"
 #include "migration/vmstate.h"
@@ -864,7 +865,7 @@ static void smmuv3_s1_range_inval(SMMUState *s, Cmd *cmd)
         scale = CMD_SCALE(cmd);
         num = CMD_NUM(cmd);
         ttl = CMD_TTL(cmd);
-        num_pages = (num + 1) * (1 << (scale));
+        num_pages = (num + 1) * BIT_ULL(scale);
     }
 
     if (type == SMMU_CMD_TLBI_NH_VA) {
-- 
2.26.2



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH-for-5.2] hw/arm/smmuv3: Fix potential integer overflow (CID 1432363)
  2020-10-30 14:46 [PATCH-for-5.2] hw/arm/smmuv3: Fix potential integer overflow (CID 1432363) Philippe Mathieu-Daudé
@ 2020-10-30 15:04 ` Philippe Mathieu-Daudé
  2020-10-30 15:19 ` Auger Eric
  2020-11-02 11:42 ` Peter Maydell
  2 siblings, 0 replies; 4+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-10-30 15:04 UTC (permalink / raw)
  To: qemu-devel; +Cc: Eric Auger, qemu-arm, Peter Maydell

On 10/30/20 3:46 PM, Philippe Mathieu-Daudé wrote:
> Use the BIT_ULL() macro to ensure we use 64-bit arithmetic.
> This fixes the following Coverity issue (OVERFLOW_BEFORE_WIDEN):
> 
>   CID 1432363 (#1 of 1): Unintentional integer overflow:
> 
>   overflow_before_widen:
>     Potentially overflowing expression 1 << scale with type int
>     (32 bits, signed) is evaluated using 32-bit arithmetic, and
>     then used in a context that expects an expression of type
>     hwaddr (64 bits, unsigned).
> 

Fixes: d52915616c0 ("hw/arm/smmuv3: Get prepared for range invalidation")

> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> ---
>  hw/arm/smmuv3.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
> index 2017ba7a5a7..22607c37841 100644
> --- a/hw/arm/smmuv3.c
> +++ b/hw/arm/smmuv3.c
> @@ -17,6 +17,7 @@
>   */
>  
>  #include "qemu/osdep.h"
> +#include "qemu/bitops.h"
>  #include "hw/irq.h"
>  #include "hw/sysbus.h"
>  #include "migration/vmstate.h"
> @@ -864,7 +865,7 @@ static void smmuv3_s1_range_inval(SMMUState *s, Cmd *cmd)
>          scale = CMD_SCALE(cmd);
>          num = CMD_NUM(cmd);
>          ttl = CMD_TTL(cmd);
> -        num_pages = (num + 1) * (1 << (scale));
> +        num_pages = (num + 1) * BIT_ULL(scale);
>      }
>  
>      if (type == SMMU_CMD_TLBI_NH_VA) {
> 



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH-for-5.2] hw/arm/smmuv3: Fix potential integer overflow (CID 1432363)
  2020-10-30 14:46 [PATCH-for-5.2] hw/arm/smmuv3: Fix potential integer overflow (CID 1432363) Philippe Mathieu-Daudé
  2020-10-30 15:04 ` Philippe Mathieu-Daudé
@ 2020-10-30 15:19 ` Auger Eric
  2020-11-02 11:42 ` Peter Maydell
  2 siblings, 0 replies; 4+ messages in thread
From: Auger Eric @ 2020-10-30 15:19 UTC (permalink / raw)
  To: Philippe Mathieu-Daudé, qemu-devel; +Cc: Peter Maydell, qemu-arm

Hi Philippe,

On 10/30/20 3:46 PM, Philippe Mathieu-Daudé wrote:
> Use the BIT_ULL() macro to ensure we use 64-bit arithmetic.
> This fixes the following Coverity issue (OVERFLOW_BEFORE_WIDEN):
> 
>   CID 1432363 (#1 of 1): Unintentional integer overflow:
> 
>   overflow_before_widen:
>     Potentially overflowing expression 1 << scale with type int
>     (32 bits, signed) is evaluated using 32-bit arithmetic, and
>     then used in a context that expects an expression of type
>     hwaddr (64 bits, unsigned).
> 
> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: Eric Auger <eric.auger@redhat.com>

Thanks!

Eric
> ---
>  hw/arm/smmuv3.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
> index 2017ba7a5a7..22607c37841 100644
> --- a/hw/arm/smmuv3.c
> +++ b/hw/arm/smmuv3.c
> @@ -17,6 +17,7 @@
>   */
>  
>  #include "qemu/osdep.h"
> +#include "qemu/bitops.h"
>  #include "hw/irq.h"
>  #include "hw/sysbus.h"
>  #include "migration/vmstate.h"
> @@ -864,7 +865,7 @@ static void smmuv3_s1_range_inval(SMMUState *s, Cmd *cmd)
>          scale = CMD_SCALE(cmd);
>          num = CMD_NUM(cmd);
>          ttl = CMD_TTL(cmd);
> -        num_pages = (num + 1) * (1 << (scale));
> +        num_pages = (num + 1) * BIT_ULL(scale);
>      }
>  
>      if (type == SMMU_CMD_TLBI_NH_VA) {
> 



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH-for-5.2] hw/arm/smmuv3: Fix potential integer overflow (CID 1432363)
  2020-10-30 14:46 [PATCH-for-5.2] hw/arm/smmuv3: Fix potential integer overflow (CID 1432363) Philippe Mathieu-Daudé
  2020-10-30 15:04 ` Philippe Mathieu-Daudé
  2020-10-30 15:19 ` Auger Eric
@ 2020-11-02 11:42 ` Peter Maydell
  2 siblings, 0 replies; 4+ messages in thread
From: Peter Maydell @ 2020-11-02 11:42 UTC (permalink / raw)
  To: Philippe Mathieu-Daudé; +Cc: Eric Auger, qemu-arm, QEMU Developers

On Fri, 30 Oct 2020 at 14:46, Philippe Mathieu-Daudé <philmd@redhat.com> wrote:
>
> Use the BIT_ULL() macro to ensure we use 64-bit arithmetic.
> This fixes the following Coverity issue (OVERFLOW_BEFORE_WIDEN):
>
>   CID 1432363 (#1 of 1): Unintentional integer overflow:
>
>   overflow_before_widen:
>     Potentially overflowing expression 1 << scale with type int
>     (32 bits, signed) is evaluated using 32-bit arithmetic, and
>     then used in a context that expects an expression of type
>     hwaddr (64 bits, unsigned).
>
> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> ---
>  hw/arm/smmuv3.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)



Applied to target-arm.next, thanks.

-- PMM


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2020-11-02 11:44 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-10-30 14:46 [PATCH-for-5.2] hw/arm/smmuv3: Fix potential integer overflow (CID 1432363) Philippe Mathieu-Daudé
2020-10-30 15:04 ` Philippe Mathieu-Daudé
2020-10-30 15:19 ` Auger Eric
2020-11-02 11:42 ` Peter Maydell

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).