[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-ppc] [PULL 30/50] spapr: Generate FDT fragment for LMBs at con
From: |
Peter Maydell |
Subject: |
Re: [Qemu-ppc] [PULL 30/50] spapr: Generate FDT fragment for LMBs at configure connector time |
Date: |
Tue, 5 Mar 2019 16:10:20 +0000 |
On Tue, 26 Feb 2019 at 04:53, David Gibson <address@hidden> wrote:
>
> From: Greg Kurz <address@hidden>
Hi -- Coverity points out a possible overflow here (CID 1399145):
> diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
> index 00eb3b643c..b92deee771 100644
> --- a/hw/ppc/spapr.c
> +++ b/hw/ppc/spapr.c
> @@ -3333,14 +3333,26 @@ static void spapr_nmi(NMIState *n, int cpu_index,
> Error **errp)
> }
> }
>
> +int spapr_lmb_dt_populate(sPAPRDRConnector *drc, sPAPRMachineState *spapr,
> + void *fdt, int *fdt_start_offset, Error **errp)
> +{
> + uint64_t addr;
> + uint32_t node;
> +
> + addr = spapr_drc_index(drc) * SPAPR_MEMORY_BLOCK_SIZE;
This multiplication is done as a 32x32, which might overflow and
be truncated before the result is put into the 64-bit result.
Casting one side or the other to uint64_t would fix this.
thanks
-- PMM
- Re: [Qemu-ppc] [PULL 30/50] spapr: Generate FDT fragment for LMBs at configure connector time,
Peter Maydell <=