qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
* New Defects reported by Coverity Scan for QEMU/PPC
       [not found] <67d327ab474d6_3d7eed2ba0acd079b020018@prd-scan-dashboard-0.mail>
@ 2025-03-14  7:10 ` Cédric Le Goater
  0 siblings, 0 replies; only message in thread
From: Cédric Le Goater @ 2025-03-14  7:10 UTC (permalink / raw)
  To: list@suse.de:PowerPC, QEMU Developers
  Cc: Nick Piggin, BALATON Zoltan, Mike Kowal, Harsh Prateek Bora,
	Shivaprasad G Bhat

Hello,

Just a heads up about the issues Coverity found in the latest QEMU.
It would be nice to fix them before QEMU 10.0 is released.

Thanks,

C.




-------- Forwarded Message --------
Subject: New Defects reported by Coverity Scan for QEMU
Date: Thu, 13 Mar 2025 18:44:59 +0000
From: scan-admin@coverity.com
To: clg@kaod.org

Hi,

Please find the latest report on new defect(s) introduced to QEMU found with Coverity Scan.

5 new defect(s) introduced to QEMU found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 5 of 5 defect(s)


** CID 1593725:  Error handling issues  (CHECKED_RETURN)
/builds/qemu-project/qemu/hw/ppc/amigaone.c: 112 in nvram_write()


________________________________________________________________________________________________________
*** CID 1593725:  Error handling issues  (CHECKED_RETURN)
/builds/qemu-project/qemu/hw/ppc/amigaone.c: 112 in nvram_write()
106     {
107         A1NVRAMState *s = opaque;
108         uint8_t *p = memory_region_get_ram_ptr(&s->mr);
109
110         p[addr] = val;
111         if (s->blk) {
>>>     CID 1593725:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "blk_pwrite" without checking return value (as is done elsewhere 30 out of 36 times).
112             blk_pwrite(s->blk, addr, 1, &val, 0);
113         }
114     }
115
116     static const MemoryRegionOps nvram_ops = {
117         .read = nvram_read,

** CID 1593724:  Integer handling issues  (BAD_SHIFT)
/builds/qemu-project/qemu/hw/intc/xive.c: 1665 in xive_get_vpgroup_size()


________________________________________________________________________________________________________
*** CID 1593724:  Integer handling issues  (BAD_SHIFT)
/builds/qemu-project/qemu/hw/intc/xive.c: 1665 in xive_get_vpgroup_size()
1659     {
1660         /*
1661          * Group size is a power of 2. The position of the first 0
1662          * (starting with the least significant bits) in the NVP index
1663          * gives the size of the group.
1664          */
>>>     CID 1593724:  Integer handling issues  (BAD_SHIFT)
>>>     In expression "1 << ctz32(~nvp_index) + 1", left shifting by more than 31 bits has undefined behavior.  The shift amount, "ctz32(~nvp_index) + 1", is 33.
1665         return 1 << (ctz32(~nvp_index) + 1);
1666     }
1667
1668     static uint8_t xive_get_group_level(bool crowd, bool ignore,
1669                                         uint32_t nvp_blk, uint32_t nvp_index)
1670     {

** CID 1593723:    (DEADCODE)
/builds/qemu-project/qemu/hw/ppc/pnv_bmc.c: 266 in pnv_bmc_set_pnor()
/builds/qemu-project/qemu/hw/ppc/pnv_bmc.c: 271 in pnv_bmc_set_pnor()


________________________________________________________________________________________________________
*** CID 1593723:    (DEADCODE)
/builds/qemu-project/qemu/hw/ppc/pnv_bmc.c: 266 in pnv_bmc_set_pnor()
260
261         /*
262          * The HIOMAP protocol uses block units and 16-bit addressing.
263          * Prevent overflow or misalign.
264          */
265         if (pnor_addr >= 1U << (BLOCK_SHIFT + 16)) {
>>>     CID 1593723:    (DEADCODE)
>>>     Execution cannot reach this statement: "warn_report("PNOR address i...".
266             warn_report("PNOR address is larger than 2^%d, disabling PNOR",
267                         BLOCK_SHIFT + 16);
268             return;
269         }
270         if (pnor_addr & ((1U << BLOCK_SHIFT) - 1)) {
271             warn_report("PNOR address is not aligned to 2^%d, disabling PNOR",
/builds/qemu-project/qemu/hw/ppc/pnv_bmc.c: 271 in pnv_bmc_set_pnor()
265         if (pnor_addr >= 1U << (BLOCK_SHIFT + 16)) {
266             warn_report("PNOR address is larger than 2^%d, disabling PNOR",
267                         BLOCK_SHIFT + 16);
268             return;
269         }
270         if (pnor_addr & ((1U << BLOCK_SHIFT) - 1)) {
>>>     CID 1593723:    (DEADCODE)
>>>     Execution cannot reach this statement: "warn_report("PNOR address i...".
271             warn_report("PNOR address is not aligned to 2^%d, disabling PNOR",
272                         BLOCK_SHIFT);
273             return;
274         }
275         if (pnor_size > 1U << (BLOCK_SHIFT + 16)) {
276             warn_report("PNOR size is larger than 2^%d, disabling PNOR",

** CID 1593722:  Memory - corruptions  (OVERRUN)
/builds/qemu-project/qemu/hw/ppc/spapr.c: 299 in spapr_dt_pa_features()


________________________________________________________________________________________________________
*** CID 1593722:  Memory - corruptions  (OVERRUN)
/builds/qemu-project/qemu/hw/ppc/spapr.c: 299 in spapr_dt_pa_features()
293             /* Workaround for broken kernels that attempt (guest) radix
294              * mode when they can't handle it, if they see the radix bit set
295              * in pa-features. So hide it from them. */
296             pa_features[40 + 2] &= ~0x80; /* Radix MMU */
297         }
298         if (spapr_get_cap(spapr, SPAPR_CAP_DAWR1)) {
>>>     CID 1593722:  Memory - corruptions  (OVERRUN)
>>>     Overrunning array of 26 bytes at byte offset 66 by dereferencing pointer "pa_features + 66".
299             pa_features[66] |= 0x80;
300         }
301
302         _FDT((fdt_setprop(fdt, offset, "ibm,pa-features", pa_features, pa_size)));
303     }
304

** CID 1593721:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/builds/qemu-project/qemu/hw/intc/xive2.c: 1338 in xive2_router_end_notify()


________________________________________________________________________________________________________
*** CID 1593721:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/builds/qemu-project/qemu/hw/intc/xive2.c: 1338 in xive2_router_end_notify()
1332         if (!xive2_end_is_valid(&end)) {
1333             qemu_log_mask(LOG_GUEST_ERROR, "XIVE: END %x/%x is invalid\n",
1334                           end_blk, end_idx);
1335             return;
1336         }
1337
>>>     CID 1593721:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "be32_to_cpu(end.w6) & (536870912U /* 0x80000000U >> 2 */) & !(be32_to_cpu(end.w6) & (1073741824U /* 0x80000000U >> 1 */))" is always 0 regardless of the values of its operands. This occurs as the logical operand of "if".
1338         if (xive2_end_is_crowd(&end) & !xive2_end_is_ignore(&end)) {
1339             qemu_log_mask(LOG_GUEST_ERROR,
1340                           "XIVE: invalid END, 'crowd' bit requires 'ignore' bit\n");
1341             return;
1342         }
1343


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/qemu?tab=overview

   To manage Coverity Scan email notifications for "clg@kaod.org", click https://scan.coverity.com/subscriptions/edit?email=clg%40kaod.org&token=4549557735e1ea1422dff9fceab58944



^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2025-03-14  7:11 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <67d327ab474d6_3d7eed2ba0acd079b020018@prd-scan-dashboard-0.mail>
2025-03-14  7:10 ` New Defects reported by Coverity Scan for QEMU/PPC Cédric Le Goater

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).