[Qemu-devel] [PATCH] nvic: Fix miscalculation of offsets into ITNS array

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH] nvic: Fix miscalculation of offsets into ITNS array
@ 2017-10-10 15:54 Peter Maydell
  2017-10-12 15:00 ` Richard Henderson
  0 siblings, 1 reply; 2+ messages in thread
From: Peter Maydell @ 2017-10-10 15:54 UTC (permalink / raw)
  To: qemu-arm, qemu-devel; +Cc: patches, Richard Henderson

This calculation of the first exception vector in
the ITNS<n> register being accessed:
        int startvec = 32 * (offset - 0x380) + NVIC_FIRST_IRQ;

is incorrect, because offset is in bytes, so we only want
to multiply by 8.

Spotted by Coverity (CID 1381484, CID 1381488), though it is
not correct that it actually overflows the buffer, because
we have a 'startvec + i < s->num_irq' guard.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
Oops. I guess this is what Coverity is there to catch :-)

 hw/intc/armv7m_nvic.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index 22d5e6e..201e90f 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -698,7 +698,7 @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
         return ((s->num_irq - NVIC_FIRST_IRQ) / 32) - 1;
     case 0x380 ... 0x3bf: /* NVIC_ITNS<n> */
     {
-        int startvec = 32 * (offset - 0x380) + NVIC_FIRST_IRQ;
+        int startvec = 8 * (offset - 0x380) + NVIC_FIRST_IRQ;
         int i;
 
         if (!arm_feature(&cpu->env, ARM_FEATURE_V8)) {
@@ -1102,7 +1102,7 @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
     switch (offset) {
     case 0x380 ... 0x3bf: /* NVIC_ITNS<n> */
     {
-        int startvec = 32 * (offset - 0x380) + NVIC_FIRST_IRQ;
+        int startvec = 8 * (offset - 0x380) + NVIC_FIRST_IRQ;
         int i;
 
         if (!arm_feature(&cpu->env, ARM_FEATURE_V8)) {
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [Qemu-devel] [PATCH] nvic: Fix miscalculation of offsets into ITNS array
  2017-10-10 15:54 [Qemu-devel] [PATCH] nvic: Fix miscalculation of offsets into ITNS array Peter Maydell
@ 2017-10-12 15:00 ` Richard Henderson
  0 siblings, 0 replies; 2+ messages in thread
From: Richard Henderson @ 2017-10-12 15:00 UTC (permalink / raw)
  To: Peter Maydell, qemu-arm, qemu-devel; +Cc: patches

On 10/10/2017 08:54 AM, Peter Maydell wrote:
> This calculation of the first exception vector in
> the ITNS<n> register being accessed:
>         int startvec = 32 * (offset - 0x380) + NVIC_FIRST_IRQ;
> 
> is incorrect, because offset is in bytes, so we only want
> to multiply by 8.
> 
> Spotted by Coverity (CID 1381484, CID 1381488), though it is
> not correct that it actually overflows the buffer, because
> we have a 'startvec + i < s->num_irq' guard.
> 
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
> Oops. I guess this is what Coverity is there to catch :-)
> 
>  hw/intc/armv7m_nvic.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>


r~

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2017-10-12 15:00 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-10-10 15:54 [Qemu-devel] [PATCH] nvic: Fix miscalculation of offsets into ITNS array Peter Maydell
2017-10-12 15:00 ` Richard Henderson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).