[PATCH] hw/tpm/tpm_tis_common.c: Assert that locty is in range

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] hw/tpm/tpm_tis_common.c: Assert that locty is in range
@ 2022-05-13 16:38 Peter Maydell
  2022-05-13 16:55 ` Philippe Mathieu-Daudé via
  2022-05-18 13:46 ` Stefan Berger
  0 siblings, 2 replies; 4+ messages in thread
From: Peter Maydell @ 2022-05-13 16:38 UTC (permalink / raw)
  To: qemu-devel; +Cc: Stefan Berger

In tpm_tis_mmio_read(), tpm_tis_mmio_write() and
tpm_tis_dump_state(), we calculate a locality index with
tpm_tis_locality_from_addr() and then use it as an index into the
s->loc[] array.  In all these cases, the array index can't overflow
because the MemoryRegion is sized to be TPM_TIS_NUM_LOCALITIES <<
TPM_TIS_LOCALITY_SHIFT bytes.  However, Coverity can't see that, and
it complains (CID 1487138, 1487180, 1487188, 1487198, 1487240).

Add assertions that the calculated locality index is valid, which
will help Coverity and also catch any potential future bug where
the MemoryRegion isn't sized exactly.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
Tested with 'make check' only...

 hw/tpm/tpm_tis_common.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hw/tpm/tpm_tis_common.c b/hw/tpm/tpm_tis_common.c
index e700d821816..81edae410c8 100644
--- a/hw/tpm/tpm_tis_common.c
+++ b/hw/tpm/tpm_tis_common.c
@@ -295,6 +295,8 @@ static void tpm_tis_dump_state(TPMState *s, hwaddr addr)
     uint8_t locty = tpm_tis_locality_from_addr(addr);
     hwaddr base = addr & ~0xfff;
 
+    assert(TPM_TIS_IS_VALID_LOCTY(locty));
+
     printf("tpm_tis: active locality      : %d\n"
            "tpm_tis: state of locality %d : %d\n"
            "tpm_tis: register dump:\n",
@@ -336,6 +338,8 @@ static uint64_t tpm_tis_mmio_read(void *opaque, hwaddr addr,
     uint32_t avail;
     uint8_t v;
 
+    assert(TPM_TIS_IS_VALID_LOCTY(locty));
+
     if (tpm_backend_had_startup_error(s->be_driver)) {
         return 0;
     }
@@ -458,6 +462,8 @@ static void tpm_tis_mmio_write(void *opaque, hwaddr addr,
     uint16_t len;
     uint32_t mask = (size == 1) ? 0xff : ((size == 2) ? 0xffff : ~0);
 
+    assert(TPM_TIS_IS_VALID_LOCTY(locty));
+
     trace_tpm_tis_mmio_write(size, addr, val);
 
     if (locty == 4) {
-- 
2.25.1



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] hw/tpm/tpm_tis_common.c: Assert that locty is in range
  2022-05-13 16:38 [PATCH] hw/tpm/tpm_tis_common.c: Assert that locty is in range Peter Maydell
@ 2022-05-13 16:55 ` Philippe Mathieu-Daudé via
  2022-05-18 13:46 ` Stefan Berger
  1 sibling, 0 replies; 4+ messages in thread
From: Philippe Mathieu-Daudé via @ 2022-05-13 16:55 UTC (permalink / raw)
  To: Peter Maydell; +Cc: qemu-devel@nongnu.org Developers, Stefan Berger

On Fri, May 13, 2022 at 6:43 PM Peter Maydell <peter.maydell@linaro.org> wrote:
>
> In tpm_tis_mmio_read(), tpm_tis_mmio_write() and
> tpm_tis_dump_state(), we calculate a locality index with
> tpm_tis_locality_from_addr() and then use it as an index into the
> s->loc[] array.  In all these cases, the array index can't overflow
> because the MemoryRegion is sized to be TPM_TIS_NUM_LOCALITIES <<
> TPM_TIS_LOCALITY_SHIFT bytes.  However, Coverity can't see that, and
> it complains (CID 1487138, 1487180, 1487188, 1487198, 1487240).
>
> Add assertions that the calculated locality index is valid, which
> will help Coverity and also catch any potential future bug where
> the MemoryRegion isn't sized exactly.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
> Tested with 'make check' only...
>
>  hw/tpm/tpm_tis_common.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/hw/tpm/tpm_tis_common.c b/hw/tpm/tpm_tis_common.c
> index e700d821816..81edae410c8 100644
> --- a/hw/tpm/tpm_tis_common.c
> +++ b/hw/tpm/tpm_tis_common.c
> @@ -295,6 +295,8 @@ static void tpm_tis_dump_state(TPMState *s, hwaddr addr)
>      uint8_t locty = tpm_tis_locality_from_addr(addr);
>      hwaddr base = addr & ~0xfff;
>
> +    assert(TPM_TIS_IS_VALID_LOCTY(locty));
> +
>      printf("tpm_tis: active locality      : %d\n"
>             "tpm_tis: state of locality %d : %d\n"
>             "tpm_tis: register dump:\n",

This one was here ...:
https://lore.kernel.org/qemu-devel/20220330235723.68033-1-philippe.mathieu.daude@gmail.com/

> @@ -336,6 +338,8 @@ static uint64_t tpm_tis_mmio_read(void *opaque, hwaddr addr,
>      uint32_t avail;
>      uint8_t v;
>
> +    assert(TPM_TIS_IS_VALID_LOCTY(locty));
> +
>      if (tpm_backend_had_startup_error(s->be_driver)) {
>          return 0;
>      }
> @@ -458,6 +462,8 @@ static void tpm_tis_mmio_write(void *opaque, hwaddr addr,
>      uint16_t len;
>      uint32_t mask = (size == 1) ? 0xff : ((size == 2) ? 0xffff : ~0);
>
> +    assert(TPM_TIS_IS_VALID_LOCTY(locty));
> +
>      trace_tpm_tis_mmio_write(size, addr, val);
>
>      if (locty == 4) {

... but not these, so:
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] hw/tpm/tpm_tis_common.c: Assert that locty is in range
  2022-05-13 16:38 [PATCH] hw/tpm/tpm_tis_common.c: Assert that locty is in range Peter Maydell
  2022-05-13 16:55 ` Philippe Mathieu-Daudé via
@ 2022-05-18 13:46 ` Stefan Berger
  2022-05-18 16:45   ` Peter Maydell
  1 sibling, 1 reply; 4+ messages in thread
From: Stefan Berger @ 2022-05-18 13:46 UTC (permalink / raw)
  To: Peter Maydell, qemu-devel; +Cc: Stefan Berger



On 5/13/22 12:38, Peter Maydell wrote:
> In tpm_tis_mmio_read(), tpm_tis_mmio_write() and
> tpm_tis_dump_state(), we calculate a locality index with
> tpm_tis_locality_from_addr() and then use it as an index into the
> s->loc[] array.  In all these cases, the array index can't overflow
> because the MemoryRegion is sized to be TPM_TIS_NUM_LOCALITIES <<
> TPM_TIS_LOCALITY_SHIFT bytes.  However, Coverity can't see that, and
> it complains (CID 1487138, 1487180, 1487188, 1487198, 1487240).

> 
> Add assertions that the calculated locality index is valid, which
> will help Coverity and also catch any potential future bug where
> the MemoryRegion isn't sized exactly.
> 
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

I trust that the 3 fixes resolve the 5 CIDs.

Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>

> ---
> Tested with 'make check' only...
> 
>   hw/tpm/tpm_tis_common.c | 6 ++++++
>   1 file changed, 6 insertions(+)
> 
> diff --git a/hw/tpm/tpm_tis_common.c b/hw/tpm/tpm_tis_common.c
> index e700d821816..81edae410c8 100644
> --- a/hw/tpm/tpm_tis_common.c
> +++ b/hw/tpm/tpm_tis_common.c
> @@ -295,6 +295,8 @@ static void tpm_tis_dump_state(TPMState *s, hwaddr addr)
>       uint8_t locty = tpm_tis_locality_from_addr(addr);
>       hwaddr base = addr & ~0xfff;
> 
> +    assert(TPM_TIS_IS_VALID_LOCTY(locty));
> +
>       printf("tpm_tis: active locality      : %d\n"
>              "tpm_tis: state of locality %d : %d\n"
>              "tpm_tis: register dump:\n",
> @@ -336,6 +338,8 @@ static uint64_t tpm_tis_mmio_read(void *opaque, hwaddr addr,
>       uint32_t avail;
>       uint8_t v;
> 
> +    assert(TPM_TIS_IS_VALID_LOCTY(locty));
> +
>       if (tpm_backend_had_startup_error(s->be_driver)) {
>           return 0;
>       }
> @@ -458,6 +462,8 @@ static void tpm_tis_mmio_write(void *opaque, hwaddr addr,
>       uint16_t len;
>       uint32_t mask = (size == 1) ? 0xff : ((size == 2) ? 0xffff : ~0);
> 
> +    assert(TPM_TIS_IS_VALID_LOCTY(locty));
> +
>       trace_tpm_tis_mmio_write(size, addr, val);
> 
>       if (locty == 4) {

All 3 of your fixes below are after the 3 existing calls to 
tpm_tis_locality_from_addr(). Would Coverity be happy if we were to move 
the asserts into that one function? I am fine with this patch, though.


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] hw/tpm/tpm_tis_common.c: Assert that locty is in range
  2022-05-18 13:46 ` Stefan Berger
@ 2022-05-18 16:45   ` Peter Maydell
  0 siblings, 0 replies; 4+ messages in thread
From: Peter Maydell @ 2022-05-18 16:45 UTC (permalink / raw)
  To: Stefan Berger; +Cc: qemu-devel, Stefan Berger

On Wed, 18 May 2022 at 14:46, Stefan Berger <stefanb@linux.ibm.com> wrote:
>
>
>
> On 5/13/22 12:38, Peter Maydell wrote:
> > In tpm_tis_mmio_read(), tpm_tis_mmio_write() and
> > tpm_tis_dump_state(), we calculate a locality index with
> > tpm_tis_locality_from_addr() and then use it as an index into the
> > s->loc[] array.  In all these cases, the array index can't overflow
> > because the MemoryRegion is sized to be TPM_TIS_NUM_LOCALITIES <<
> > TPM_TIS_LOCALITY_SHIFT bytes.  However, Coverity can't see that, and
> > it complains (CID 1487138, 1487180, 1487188, 1487198, 1487240).
>

> All 3 of your fixes below are after the 3 existing calls to
> tpm_tis_locality_from_addr(). Would Coverity be happy if we were to move
> the asserts into that one function? I am fine with this patch, though.

Yes, I think Coverity would be happy either way. There's not
a lot in it, but I picked this way round because in theory one
might want in a hypothetical future situation to have a different
kind of error checking for a callsite that did an address-to-locality
lookup: it's not inherently of itself never possible it can fail.

thanks
-- PMM


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2022-05-18 16:47 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-05-13 16:38 [PATCH] hw/tpm/tpm_tis_common.c: Assert that locty is in range Peter Maydell
2022-05-13 16:55 ` Philippe Mathieu-Daudé via
2022-05-18 13:46 ` Stefan Berger
2022-05-18 16:45   ` Peter Maydell

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).