qemu-ppc
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fw: New Defects reported by Coverity Scan for QEMU

From: Alexey Kardashevskiy
Subject: Re: Fw: New Defects reported by Coverity Scan for QEMU
Date: Mon, 12 Jul 2021 19:26:20 +1000
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Thunderbird/89.0 
How do you run it?


On 12/07/2021 19:25, Greg Kurz wrote:

FYI

Coverity detected some issues in VOF

Cheers,

--
Greg

Begin forwarded message:

Date: Sat, 10 Jul 2021 21:03:27 +0000
From: scan-admin@coverity.com
To: groug@kaod.org
Subject: New Defects reported by Coverity Scan for QEMU


Hi,

Please find the latest report on new defect(s) introduced to QEMU found with 
Coverity Scan.

8 new defect(s) introduced to QEMU found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 8 of 8 defect(s)


** CID 1458139:  Error handling issues  (NEGATIVE_RETURNS)
/qemu/hw/ppc/vof.c: 545 in vof_instance_to_path()


________________________________________________________________________________________________________
*** CID 1458139:  Error handling issues  (NEGATIVE_RETURNS)
/qemu/hw/ppc/vof.c: 545 in vof_instance_to_path()
539         uint32_t phandle = vof_instance_to_package(vof, ihandle);
540         char tmp[VOF_MAX_PATH] = "";
541
542         if (phandle != -1) {
543             ret = phandle_to_path(fdt, phandle, tmp, sizeof(tmp));
544             if (ret > 0) {

     CID 1458139:  Error handling issues  (NEGATIVE_RETURNS)
     "ret" is passed to a parameter that cannot be negative. [Note: The source 
code implementation of the function has been overridden by a user model.]

545                 if (VOF_MEM_WRITE(buf, tmp, ret) != MEMTX_OK) {
546                     ret = -1;
547                 }
548             }
549         }
550         trace_vof_instance_to_path(ihandle, phandle, tmp, ret);

** CID 1458138:  Memory - corruptions  (OVERRUN)
/qemu/hw/ppc/vof.c: 545 in vof_instance_to_path()


________________________________________________________________________________________________________
*** CID 1458138:  Memory - corruptions  (OVERRUN)
/qemu/hw/ppc/vof.c: 545 in vof_instance_to_path()
539         uint32_t phandle = vof_instance_to_package(vof, ihandle);
540         char tmp[VOF_MAX_PATH] = "";
541
542         if (phandle != -1) {
543             ret = phandle_to_path(fdt, phandle, tmp, sizeof(tmp));
544             if (ret > 0) {

     CID 1458138:  Memory - corruptions  (OVERRUN)
     Overrunning array "tmp" of 256 bytes by passing it to a function which accesses it 
at byte offset 4294967289 using argument "ret" (which evaluates to 4294967290). [Note: 
The source code implementation of the function has been overridden by a user model.]

545                 if (VOF_MEM_WRITE(buf, tmp, ret) != MEMTX_OK) {
546                     ret = -1;
547                 }
548             }
549         }
550         trace_vof_instance_to_path(ihandle, phandle, tmp, ret);

** CID 1458137:  Error handling issues  (NEGATIVE_RETURNS)
/qemu/hw/ppc/vof.c: 525 in vof_package_to_path()


________________________________________________________________________________________________________
*** CID 1458137:  Error handling issues  (NEGATIVE_RETURNS)
/qemu/hw/ppc/vof.c: 525 in vof_package_to_path()
519     {
520         uint32_t ret = -1;
521         char tmp[VOF_MAX_PATH] = "";
522
523         ret = phandle_to_path(fdt, phandle, tmp, sizeof(tmp));
524         if (ret > 0) {

     CID 1458137:  Error handling issues  (NEGATIVE_RETURNS)
     "ret" is passed to a parameter that cannot be negative. [Note: The source 
code implementation of the function has been overridden by a user model.]

525             if (VOF_MEM_WRITE(buf, tmp, ret) != MEMTX_OK) {
526                 ret = -1;
527             }
528         }
529
530         trace_vof_package_to_path(phandle, tmp, ret);

** CID 1458136:  Error handling issues  (CHECKED_RETURN)
/qemu/hw/riscv/boot.c: 201 in riscv_load_fdt()


________________________________________________________________________________________________________
*** CID 1458136:  Error handling issues  (CHECKED_RETURN)
/qemu/hw/riscv/boot.c: 201 in riscv_load_fdt()
195          * Thus, put it at an 16MB aligned address that less than fdt size 
from the
196          * end of dram or 3GB whichever is lesser.
197          */
198         temp = MIN(dram_end, 3072 * MiB);
199         fdt_addr = QEMU_ALIGN_DOWN(temp - fdtsize, 16 * MiB);
200

     CID 1458136:  Error handling issues  (CHECKED_RETURN)
     Calling "fdt_pack" without checking return value (as is done elsewhere 4 
out of 5 times).

201         fdt_pack(fdt);
202         /* copy in the device tree */
203         qemu_fdt_dumpdtb(fdt, fdtsize);
204
205         rom_add_blob_fixed_as("fdt", fdt, fdtsize, fdt_addr,
206                               &address_space_memory);

** CID 1458135:  Control flow issues  (UNREACHABLE)
/qemu/hw/pci-host/mv64361.c: 691 in mv64361_write()


________________________________________________________________________________________________________
*** CID 1458135:  Control flow issues  (UNREACHABLE)
/qemu/hw/pci-host/mv64361.c: 691 in mv64361_write()
685                 (addr == MV64340_PCI_0_MEMORY3_HIGH_ADDR_REMAP));
686             break;
687         case MV64340_PCI_1_IO_BASE_ADDR:
688             s->pci[1].io_base = val & 0x30fffffULL;
689             warn_swap_bit(val);
690             break;

     CID 1458135:  Control flow issues  (UNREACHABLE)
     This code cannot be reached: "{

   s->pci[1].remap[4] = (v...".
691             if (!(s->cpu_conf & BIT(27))) {
692                 s->pci[1].remap[4] = (val & 0xffffULL) << 16;
693             }
694             break;
695         case MV64340_PCI_1_IO_SIZE:
696             s->pci[1].io_size = val & 0xffffULL;

** CID 1458134:  Integer handling issues  (BAD_SHIFT)
/qemu/hw/vfio/common.c: 786 in vfio_register_ram_discard_listener()


________________________________________________________________________________________________________
*** CID 1458134:  Integer handling issues  (BAD_SHIFT)
/qemu/hw/vfio/common.c: 786 in vfio_register_ram_discard_listener()
780         vrdl->offset_within_address_space = 
section->offset_within_address_space;
781         vrdl->size = int128_get64(section->size);
782         vrdl->granularity = ram_discard_manager_get_min_granularity(rdm,
783                                                                     
section->mr);
784
785         g_assert(vrdl->granularity && is_power_of_2(vrdl->granularity));

     CID 1458134:  Integer handling issues  (BAD_SHIFT)
     In expression "1 << ctz64(container->pgsizes)", left shifting by more than 31 bits has 
undefined behavior.  The shift amount, "ctz64(container->pgsizes)", is 64.

786         g_assert(vrdl->granularity >= 1 << ctz64(container->pgsizes));
787
788         ram_discard_listener_init(&vrdl->listener,
789                                   vfio_ram_discard_notify_populate,
790                                   vfio_ram_discard_notify_discard, true);
791         ram_discard_manager_register_listener(rdm, &vrdl->listener, 
section);

** CID 1458133:  Memory - corruptions  (OVERRUN)
/qemu/hw/ppc/vof.c: 525 in vof_package_to_path()


________________________________________________________________________________________________________
*** CID 1458133:  Memory - corruptions  (OVERRUN)
/qemu/hw/ppc/vof.c: 525 in vof_package_to_path()
519     {
520         uint32_t ret = -1;
521         char tmp[VOF_MAX_PATH] = "";
522
523         ret = phandle_to_path(fdt, phandle, tmp, sizeof(tmp));
524         if (ret > 0) {

     CID 1458133:  Memory - corruptions  (OVERRUN)
     Overrunning array "tmp" of 256 bytes by passing it to a function which accesses it 
at byte offset 4294967289 using argument "ret" (which evaluates to 4294967290). [Note: 
The source code implementation of the function has been overridden by a user model.]

525             if (VOF_MEM_WRITE(buf, tmp, ret) != MEMTX_OK) {
526                 ret = -1;
527             }
528         }
529
530         trace_vof_package_to_path(phandle, tmp, ret);

** CID 1458132:  Memory - corruptions  (OVERRUN)
/qemu/hw/ppc/vof.c: 975 in vof_client_call()


________________________________________________________________________________________________________
*** CID 1458132:  Memory - corruptions  (OVERRUN)
/qemu/hw/ppc/vof.c: 975 in vof_client_call()
969         if (!nret) {
970             return 0;
971         }
972
973         args_be.args[nargs] = cpu_to_be32(ret);
974         for (i = 1; i < nret; ++i) {

     CID 1458132:  Memory - corruptions  (OVERRUN)
     Overrunning array "args_be.args" of 10 4-byte elements at element index 10 (byte 
offset 43) using index "nargs + i" (which evaluates to 10).

975             args_be.args[nargs + i] = cpu_to_be32(rets[i - 1]);
976         }
977
978         if (VOF_MEM_WRITE(args_real + offsetof(struct prom_args, 
args[nargs]),
979                           args_be.args + nargs, sizeof(args_be.args[0]) * 
nret) !=
980             MEMTX_OK) {


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, 
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrzEQNXe51mg-2FlKoEnRoarMq5nOxxfhqLUuo8HvG2S4Ew-3D-3DcZRx_jSsWe-2F8BIIMn-2B9cY8l8qvt9p9IF7rtc7g3r0ikIBL6GIol28p9caU9vZTC1xwZfxKmDiTO8e6mxQ7ZbEv31rPUBoHTUbMNZh9L5l5vgfe-2BEtU5qkZICtxrfTei790750jeD4KUVozZbec5fou0TGGUtwZSUzBVTsZ3AkvUG7VnBMAFJnyr0qf8MpWsH-2BRqvd1JKUzsEMfMiPKpWD2SNMew-3D-3D

   To manage Coverity Scan email notifications for "groug@kaod.org", click 
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxRiRmd0M90iCQoPbezwE-2FkdHIv0GokBYfo3C26LRTTZhn5m6cUWP7bKhZRS6EfCeWpwUz6flf1if0n-2F4Af6v6uSf1vtg3ZYC-2F-2Braj-2BJWKKsI-3DWb5H_jSsWe-2F8BIIMn-2B9cY8l8qvt9p9IF7rtc7g3r0ikIBL6GIol28p9caU9vZTC1xwZfxhyVXRa4Bqo93IUFSAIr2QgJgImWKmJJGbB2isJhtmHtaFQqPYf6yyA5n9v2JHViIV7FY6O72S-2FI2b7t3LDy5nzWMtsKpRE1FHaq3HSNIuVbawJsSF6omSzWI9iOGKXHof4786OKNjB-2FY3Ita-2F2ZIqQ-3D-3D



--
Alexey
reply via email to
[Prev in Thread] Current Thread [Next in Thread]