* [PATCH] aspeed/smc: Fix potential overflow
@ 2022-06-28 16:55 Cédric Le Goater
2022-06-29 2:41 ` Joel Stanley
0 siblings, 1 reply; 2+ messages in thread
From: Cédric Le Goater @ 2022-06-28 16:55 UTC (permalink / raw)
To: qemu-arm, qemu-devel
Cc: Peter Maydell, Andrew Jeffery, Joel Stanley, Cédric Le Goater
Coverity warns that "ssi_transfer(s->spi, 0U) << 8 * i" might overflow
because the expression is evaluated using 32-bit arithmetic and then
used in a context expecting a uint64_t.
Fixes: Coverity CID 1487244
Signed-off-by: Cédric Le Goater <clg@kaod.org>
---
hw/ssi/aspeed_smc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/ssi/aspeed_smc.c b/hw/ssi/aspeed_smc.c
index d2b1dde604e3..26640539ae64 100644
--- a/hw/ssi/aspeed_smc.c
+++ b/hw/ssi/aspeed_smc.c
@@ -490,7 +490,7 @@ static uint64_t aspeed_smc_flash_read(void *opaque, hwaddr addr, unsigned size)
switch (aspeed_smc_flash_mode(fl)) {
case CTRL_USERMODE:
for (i = 0; i < size; i++) {
- ret |= ssi_transfer(s->spi, 0x0) << (8 * i);
+ ret |= (uint64_t) ssi_transfer(s->spi, 0x0) << (8 * i);
}
break;
case CTRL_READMODE:
@@ -499,7 +499,7 @@ static uint64_t aspeed_smc_flash_read(void *opaque, hwaddr addr, unsigned size)
aspeed_smc_flash_setup(fl, addr);
for (i = 0; i < size; i++) {
- ret |= ssi_transfer(s->spi, 0x0) << (8 * i);
+ ret |= (uint64_t) ssi_transfer(s->spi, 0x0) << (8 * i);
}
aspeed_smc_flash_unselect(fl);
--
2.35.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] aspeed/smc: Fix potential overflow
2022-06-28 16:55 [PATCH] aspeed/smc: Fix potential overflow Cédric Le Goater
@ 2022-06-29 2:41 ` Joel Stanley
0 siblings, 0 replies; 2+ messages in thread
From: Joel Stanley @ 2022-06-29 2:41 UTC (permalink / raw)
To: Cédric Le Goater
Cc: qemu-arm, QEMU Developers, Peter Maydell, Andrew Jeffery
On Tue, 28 Jun 2022 at 16:55, Cédric Le Goater <clg@kaod.org> wrote:
>
> Coverity warns that "ssi_transfer(s->spi, 0U) << 8 * i" might overflow
> because the expression is evaluated using 32-bit arithmetic and then
> used in a context expecting a uint64_t.
Would it make sense to also place a limit on "size"?
assert(size < something)
>
> Fixes: Coverity CID 1487244
> Signed-off-by: Cédric Le Goater <clg@kaod.org>
> ---
> hw/ssi/aspeed_smc.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/hw/ssi/aspeed_smc.c b/hw/ssi/aspeed_smc.c
> index d2b1dde604e3..26640539ae64 100644
> --- a/hw/ssi/aspeed_smc.c
> +++ b/hw/ssi/aspeed_smc.c
> @@ -490,7 +490,7 @@ static uint64_t aspeed_smc_flash_read(void *opaque, hwaddr addr, unsigned size)
> switch (aspeed_smc_flash_mode(fl)) {
> case CTRL_USERMODE:
> for (i = 0; i < size; i++) {
> - ret |= ssi_transfer(s->spi, 0x0) << (8 * i);
> + ret |= (uint64_t) ssi_transfer(s->spi, 0x0) << (8 * i);
> }
> break;
> case CTRL_READMODE:
> @@ -499,7 +499,7 @@ static uint64_t aspeed_smc_flash_read(void *opaque, hwaddr addr, unsigned size)
> aspeed_smc_flash_setup(fl, addr);
>
> for (i = 0; i < size; i++) {
> - ret |= ssi_transfer(s->spi, 0x0) << (8 * i);
> + ret |= (uint64_t) ssi_transfer(s->spi, 0x0) << (8 * i);
> }
>
> aspeed_smc_flash_unselect(fl);
> --
> 2.35.3
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-06-29 2:43 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-28 16:55 [PATCH] aspeed/smc: Fix potential overflow Cédric Le Goater
2022-06-29 2:41 ` Joel Stanley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.