[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PULL 22/33] spapr: Implement Open Firmware client interface
From: |
Peter Maydell |
Subject: |
Re: [PULL 22/33] spapr: Implement Open Firmware client interface |
Date: |
Tue, 13 Jul 2021 12:09:18 +0100 |
On Fri, 9 Jul 2021 at 06:17, David Gibson <david@gibson.dropbear.id.au> wrote:
>
> From: Alexey Kardashevskiy <aik@ozlabs.ru>
>
> The PAPR platform describes an OS environment that's presented by
> a combination of a hypervisor and firmware. The features it specifies
> require collaboration between the firmware and the hypervisor.
Another Coverity issue unrelated to the others: CID 1458132:
> +int vof_client_call(MachineState *ms, Vof *vof, void *fdt,
> + target_ulong args_real)
> +{
> + struct prom_args args_be;
> + uint32_t args[ARRAY_SIZE(args_be.args)];
> + uint32_t rets[ARRAY_SIZE(args_be.args)] = { 0 }, ret;
> + char service[64];
> + unsigned nargs, nret, i;
> +
> + if (VOF_MEM_READ(args_real, &args_be, sizeof(args_be)) != MEMTX_OK) {
> + return -EINVAL;
> + }
> + nargs = be32_to_cpu(args_be.nargs);
> + if (nargs >= ARRAY_SIZE(args_be.args)) {
Our only bounds check against overflowing the args arrays is here,
on 'nargs'...
> + return -EINVAL;
> + }
> +
> + if (VOF_MEM_READ(be32_to_cpu(args_be.service), service, sizeof(service))
> !=
> + MEMTX_OK) {
> + return -EINVAL;
> + }
> + if (strnlen(service, sizeof(service)) == sizeof(service)) {
> + /* Too long service name */
> + return -EINVAL;
> + }
> +
> + for (i = 0; i < nargs; ++i) {
> + args[i] = be32_to_cpu(args_be.args[i]);
> + }
> +
> + nret = be32_to_cpu(args_be.nret);
> + ret = vof_client_handle(ms, fdt, vof, service, args, nargs, rets, nret);
> + if (!nret) {
> + return 0;
> + }
> +
> + args_be.args[nargs] = cpu_to_be32(ret);
> + for (i = 1; i < nret; ++i) {
> + args_be.args[nargs + i] = cpu_to_be32(rets[i - 1]);
> + }
...but in the code we fill the args_be array with "nargs + 1 + nret - 1"
values.
Side note: is the code really intentionally copying only nret-1 values
from rets[], or is the loop condition supposed to be "<= nret" ?
> +
> + if (VOF_MEM_WRITE(args_real + offsetof(struct prom_args, args[nargs]),
> + args_be.args + nargs, sizeof(args_be.args[0]) * nret)
> !=
> + MEMTX_OK) {
> + return -EINVAL;
> + }
> +
> + return 0;
> +}
thanks
-- PMM
- [PULL 10/33] target/ppc: Split out ppc_jumbo_xlate, (continued)
- [PULL 10/33] target/ppc: Split out ppc_jumbo_xlate, David Gibson, 2021/07/09
- [PULL 13/33] target/ppc: Fix compilation with DUMP_PAGE_TABLES debug option, David Gibson, 2021/07/09
- [PULL 11/33] target/ppc: Introduce ppc_xlate, David Gibson, 2021/07/09
- [PULL 21/33] docs/system: ppc: Update ppce500 documentation with eTSEC support, David Gibson, 2021/07/09
- [PULL 19/33] target/ppc: change ppc_hash32_xlate to use mmu_idx, David Gibson, 2021/07/09
- [PULL 23/33] target/ppc: mtmsrd is an illegal instruction on BookE, David Gibson, 2021/07/09
- [PULL 16/33] target/ppc: fix address translation bug for radix mmus, David Gibson, 2021/07/09
- [PULL 25/33] target/ppc: Allow virtual hypervisor on CPU without HV, David Gibson, 2021/07/09
- [PULL 22/33] spapr: Implement Open Firmware client interface, David Gibson, 2021/07/09
- [PULL 26/33] target/ppc/spapr: Update H_GET_CPU_CHARACTERISTICS L1D cache flush bits, David Gibson, 2021/07/09
- [PULL 24/33] ppc/pegasos2: Introduce Pegasos2MachineState structure, David Gibson, 2021/07/09
- [PULL 28/33] ppc/pegasos2: Fix use of && instead of &, David Gibson, 2021/07/09
- [PULL 20/33] roms/u-boot: Bump ppce500 u-boot to v2021.07 to add eTSEC support, David Gibson, 2021/07/09
- [PULL 27/33] ppc/pegasos2: Use Virtual Open Firmware as firmware replacement, David Gibson, 2021/07/09
- [PULL 30/33] target/ppc: Don't compile ppc_tlb_invalid_all without TCG, David Gibson, 2021/07/09
- [PULL 32/33] linux-headers: Update, David Gibson, 2021/07/09
- [PULL 29/33] ppc/pegasos2: Implement some RTAS functions with VOF, David Gibson, 2021/07/09
- [PULL 33/33] target/ppc: Support for H_RPT_INVALIDATE hcall, David Gibson, 2021/07/09
- [PULL 31/33] spapr: Fix implementation of Open Firmware client interface, David Gibson, 2021/07/09