From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-devel@nongnu.org
Cc: Thomas Huth <huth@tuxfamily.org>, Laurent Vivier <laurent@vivier.eu>
Subject: [PATCH 3/3] hw/nubus/nubus-device: Range check 'slot' property
Date: Fri, 30 Aug 2024 18:34:52 +0100 [thread overview]
Message-ID: <20240830173452.2086140-4-peter.maydell@linaro.org> (raw)
In-Reply-To: <20240830173452.2086140-1-peter.maydell@linaro.org>
The TYPE_NUBUS_DEVICE class lets the user specify the nubus slot
using an int32 "slot" QOM property. Its realize method doesn't do
any range checking on this value, which Coverity notices by way of
the possibility that 'nd->slot * NUBUS_SUPER_SLOT_SIZE' might
overflow the 32-bit arithmetic it is using.
Constrain the slot value to be less than NUBUS_SLOT_NB (16).
Resolves: Coverity CID 1464070
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/nubus/nubus-device.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/hw/nubus/nubus-device.c b/hw/nubus/nubus-device.c
index be4cb246966..26fbcf29a2b 100644
--- a/hw/nubus/nubus-device.c
+++ b/hw/nubus/nubus-device.c
@@ -35,6 +35,13 @@ static void nubus_device_realize(DeviceState *dev, Error **errp)
uint8_t *rom_ptr;
int ret;
+ if (nd->slot < 0 || nd->slot >= NUBUS_SLOT_NB) {
+ error_setg(errp,
+ "'slot' value %d out of range (must be between 0 and %d)",
+ nd->slot, NUBUS_SLOT_NB - 1);
+ return;
+ }
+
/* Super */
slot_offset = nd->slot * NUBUS_SUPER_SLOT_SIZE;
--
2.34.1
next prev parent reply other threads:[~2024-08-30 17:36 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-30 17:34 [PATCH 0/3] m68k: Fix a couple of Coverity nits Peter Maydell
2024-08-30 17:34 ` [PATCH 1/3] hw/m68k/mcf5208: Avoid shifting off end of integer Peter Maydell
2024-08-30 21:59 ` Thomas Huth
2024-09-01 21:34 ` Richard Henderson
2024-09-01 21:39 ` Richard Henderson
2024-08-30 17:34 ` [PATCH 2/3] hw/m68k/mcf5208: Add URLs for datasheets Peter Maydell
2024-08-30 22:02 ` Thomas Huth
2024-08-30 17:34 ` Peter Maydell [this message]
2024-08-30 22:03 ` [PATCH 3/3] hw/nubus/nubus-device: Range check 'slot' property Thomas Huth
2024-09-01 12:13 ` Mark Cave-Ayland
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240830173452.2086140-4-peter.maydell@linaro.org \
--to=peter.maydell@linaro.org \
--cc=huth@tuxfamily.org \
--cc=laurent@vivier.eu \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).