From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-devel@nongnu.org
Cc: Stefan Berger <stefanb@linux.vnet.ibm.com>
Subject: [PATCH] hw/tpm/tpm_tis_common.c: Assert that locty is in range
Date: Fri, 13 May 2022 17:38:27 +0100 [thread overview]
Message-ID: <20220513163827.26281-1-peter.maydell@linaro.org> (raw)
In tpm_tis_mmio_read(), tpm_tis_mmio_write() and
tpm_tis_dump_state(), we calculate a locality index with
tpm_tis_locality_from_addr() and then use it as an index into the
s->loc[] array. In all these cases, the array index can't overflow
because the MemoryRegion is sized to be TPM_TIS_NUM_LOCALITIES <<
TPM_TIS_LOCALITY_SHIFT bytes. However, Coverity can't see that, and
it complains (CID 1487138, 1487180, 1487188, 1487198, 1487240).
Add assertions that the calculated locality index is valid, which
will help Coverity and also catch any potential future bug where
the MemoryRegion isn't sized exactly.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
Tested with 'make check' only...
hw/tpm/tpm_tis_common.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/hw/tpm/tpm_tis_common.c b/hw/tpm/tpm_tis_common.c
index e700d821816..81edae410c8 100644
--- a/hw/tpm/tpm_tis_common.c
+++ b/hw/tpm/tpm_tis_common.c
@@ -295,6 +295,8 @@ static void tpm_tis_dump_state(TPMState *s, hwaddr addr)
uint8_t locty = tpm_tis_locality_from_addr(addr);
hwaddr base = addr & ~0xfff;
+ assert(TPM_TIS_IS_VALID_LOCTY(locty));
+
printf("tpm_tis: active locality : %d\n"
"tpm_tis: state of locality %d : %d\n"
"tpm_tis: register dump:\n",
@@ -336,6 +338,8 @@ static uint64_t tpm_tis_mmio_read(void *opaque, hwaddr addr,
uint32_t avail;
uint8_t v;
+ assert(TPM_TIS_IS_VALID_LOCTY(locty));
+
if (tpm_backend_had_startup_error(s->be_driver)) {
return 0;
}
@@ -458,6 +462,8 @@ static void tpm_tis_mmio_write(void *opaque, hwaddr addr,
uint16_t len;
uint32_t mask = (size == 1) ? 0xff : ((size == 2) ? 0xffff : ~0);
+ assert(TPM_TIS_IS_VALID_LOCTY(locty));
+
trace_tpm_tis_mmio_write(size, addr, val);
if (locty == 4) {
--
2.25.1
next reply other threads:[~2022-05-13 16:43 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-13 16:38 Peter Maydell [this message]
2022-05-13 16:55 ` [PATCH] hw/tpm/tpm_tis_common.c: Assert that locty is in range Philippe Mathieu-Daudé via
2022-05-18 13:46 ` Stefan Berger
2022-05-18 16:45 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220513163827.26281-1-peter.maydell@linaro.org \
--to=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanb@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).