* Re: [Qemu-devel] [Qemu-arm] [PATCH 1/2] hw/arm/smmuv3: Fix Coverity issue in smmuv3_record_event
2018-05-16 18:03 ` [Qemu-devel] [PATCH 1/2] hw/arm/smmuv3: Fix Coverity issue in smmuv3_record_event Eric Auger
@ 2018-05-16 16:02 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 9+ messages in thread
From: Philippe Mathieu-Daudé @ 2018-05-16 16:02 UTC (permalink / raw)
To: Eric Auger, eric.auger.pro, qemu-devel, qemu-arm, peter.maydell
On 05/16/2018 03:03 PM, Eric Auger wrote:
> Coverity complains about use of uninitialized Evt struct.
> The EVT_SET_TYPE and similar setters use deposit32() on fields
> in the struct, so they read the uninitialized existing values.
> In cases where we don't set all the fields in the event struct
> we'll end up leaking random uninitialized data from QEMU's
> stack into the guest.
>
> Initializing the struct with "Evt evt = {};" ought to satisfy
> Coverity and fix the data leak.
>
> Signed-off-by: Eric Auger <eric.auger@redhat.com>
> Reported-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
> hw/arm/smmuv3.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
> index b3026de..42dc521 100644
> --- a/hw/arm/smmuv3.c
> +++ b/hw/arm/smmuv3.c
> @@ -143,7 +143,7 @@ static MemTxResult smmuv3_write_eventq(SMMUv3State *s, Evt *evt)
>
> void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *info)
> {
> - Evt evt;
> + Evt evt = {};
> MemTxResult r;
>
> if (!smmuv3_eventq_enabled(s)) {
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [Qemu-arm] [PATCH 2/2] hw/arm/smmu-common: Fix coverity issue in get_block_pte_address
2018-05-16 18:03 ` [Qemu-devel] [PATCH 2/2] hw/arm/smmu-common: Fix coverity issue in get_block_pte_address Eric Auger
@ 2018-05-16 16:16 ` Philippe Mathieu-Daudé
2018-05-16 16:23 ` Peter Maydell
0 siblings, 1 reply; 9+ messages in thread
From: Philippe Mathieu-Daudé @ 2018-05-16 16:16 UTC (permalink / raw)
To: Eric Auger, eric.auger.pro, qemu-devel, qemu-arm, peter.maydell
Hi Eric,
On 05/16/2018 03:03 PM, Eric Auger wrote:
> Coverity points out that this can overflow if n > 31,
> because it's only doing 32-bit arithmetic. Let's use 1ULL instead
> of 1. Also the formulae used to compute n can be replaced by
> the level_shift() macro.
This level_shift() replacement doesn't seems that obvious to me, can you
split it in another patch?
>
> Reported-by: Peter Maydell <peter.maydell@linaro.org>
> Signed-off-by: Eric Auger <eric.auger@redhat.com>
> ---
> hw/arm/smmu-common.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
> index 01c7be8..3c5f724 100644
> --- a/hw/arm/smmu-common.c
> +++ b/hw/arm/smmu-common.c
> @@ -83,9 +83,9 @@ static inline hwaddr get_table_pte_address(uint64_t pte, int granule_sz)
> static inline hwaddr get_block_pte_address(uint64_t pte, int level,
> int granule_sz, uint64_t *bsz)
> {
> - int n = (granule_sz - 3) * (4 - level) + 3;
> + int n = level_shift(level, granule_sz);
Shouldn't this be level_shift(level + 1, granule_sz)?
Using level_shift() you replaced the trailing 3 by granule_sz. This
means the previous code was only correct for the granule_sz==3 case.
level_shift(level + 1, granule_sz)
== (granule_sz - 3) * (3 - (level + 1)) + granule_sz;
== (granule_sz - 3) * (4 - level) + granule_sz;
!= (granule_sz - 3) * (4 - level) + 3;
>
> - *bsz = 1 << n;
> + *bsz = 1ULL << n;
For the coverity fix (patch splitted):
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> return PTE_ADDRESS(pte, n);
> }
>
Regards,
Phil.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [Qemu-arm] [PATCH 2/2] hw/arm/smmu-common: Fix coverity issue in get_block_pte_address
2018-05-16 16:16 ` [Qemu-devel] [Qemu-arm] " Philippe Mathieu-Daudé
@ 2018-05-16 16:23 ` Peter Maydell
2018-05-16 20:01 ` Philippe Mathieu-Daudé
0 siblings, 1 reply; 9+ messages in thread
From: Peter Maydell @ 2018-05-16 16:23 UTC (permalink / raw)
To: Philippe Mathieu-Daudé
Cc: Eric Auger, Eric Auger, QEMU Developers, qemu-arm
On 16 May 2018 at 16:16, Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
> Hi Eric,
>
> On 05/16/2018 03:03 PM, Eric Auger wrote:
>> Coverity points out that this can overflow if n > 31,
>> because it's only doing 32-bit arithmetic. Let's use 1ULL instead
>> of 1. Also the formulae used to compute n can be replaced by
>> the level_shift() macro.
>
> This level_shift() replacement doesn't seems that obvious to me, can you
> split it in another patch?
>
>>
>> Reported-by: Peter Maydell <peter.maydell@linaro.org>
>> Signed-off-by: Eric Auger <eric.auger@redhat.com>
>> ---
>> hw/arm/smmu-common.c | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
>> index 01c7be8..3c5f724 100644
>> --- a/hw/arm/smmu-common.c
>> +++ b/hw/arm/smmu-common.c
>> @@ -83,9 +83,9 @@ static inline hwaddr get_table_pte_address(uint64_t pte, int granule_sz)
>> static inline hwaddr get_block_pte_address(uint64_t pte, int level,
>> int granule_sz, uint64_t *bsz)
>> {
>> - int n = (granule_sz - 3) * (4 - level) + 3;
>> + int n = level_shift(level, granule_sz);
>
> Shouldn't this be level_shift(level + 1, granule_sz)?
No. The two expressions are equivalent, they're
just arranged differently:
level_shift(lvl, gsz)
== gsz + (3 - lvl) * (gsz - 3)
== gsz + (4 - lvl) * (gsz - 3) - (gsz - 3)
== gsz - gsz + (4 - lvl) * (gsz - 3) + 3
== (gsz - 3) * (4 - lvl) + 3
thanks
-- PMM
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Qemu-devel] [PATCH 0/2] ARM SMMUv3: Fix a couple of Coverity issues
@ 2018-05-16 18:03 Eric Auger
2018-05-16 18:03 ` [Qemu-devel] [PATCH 1/2] hw/arm/smmuv3: Fix Coverity issue in smmuv3_record_event Eric Auger
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Eric Auger @ 2018-05-16 18:03 UTC (permalink / raw)
To: eric.auger.pro, eric.auger, qemu-devel, qemu-arm, peter.maydell
This series includes 2 patches that fix Coverity issues respectively
in smmuv3 and smmu-common code.
Eric Auger (2):
hw/arm/smmuv3: Fix Coverity issue in smmuv3_record_event
hw/arm/smmu-common: Fix coverity issue in get_block_pte_address
hw/arm/smmu-common.c | 4 ++--
hw/arm/smmuv3.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
--
1.8.3.1
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Qemu-devel] [PATCH 1/2] hw/arm/smmuv3: Fix Coverity issue in smmuv3_record_event
2018-05-16 18:03 [Qemu-devel] [PATCH 0/2] ARM SMMUv3: Fix a couple of Coverity issues Eric Auger
@ 2018-05-16 18:03 ` Eric Auger
2018-05-16 16:02 ` [Qemu-devel] [Qemu-arm] " Philippe Mathieu-Daudé
2018-05-16 18:03 ` [Qemu-devel] [PATCH 2/2] hw/arm/smmu-common: Fix coverity issue in get_block_pte_address Eric Auger
2018-05-17 15:37 ` [Qemu-devel] [PATCH 0/2] ARM SMMUv3: Fix a couple of Coverity issues Peter Maydell
2 siblings, 1 reply; 9+ messages in thread
From: Eric Auger @ 2018-05-16 18:03 UTC (permalink / raw)
To: eric.auger.pro, eric.auger, qemu-devel, qemu-arm, peter.maydell
Coverity complains about use of uninitialized Evt struct.
The EVT_SET_TYPE and similar setters use deposit32() on fields
in the struct, so they read the uninitialized existing values.
In cases where we don't set all the fields in the event struct
we'll end up leaking random uninitialized data from QEMU's
stack into the guest.
Initializing the struct with "Evt evt = {};" ought to satisfy
Coverity and fix the data leak.
Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reported-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/arm/smmuv3.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index b3026de..42dc521 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -143,7 +143,7 @@ static MemTxResult smmuv3_write_eventq(SMMUv3State *s, Evt *evt)
void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *info)
{
- Evt evt;
+ Evt evt = {};
MemTxResult r;
if (!smmuv3_eventq_enabled(s)) {
--
1.8.3.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [Qemu-devel] [PATCH 2/2] hw/arm/smmu-common: Fix coverity issue in get_block_pte_address
2018-05-16 18:03 [Qemu-devel] [PATCH 0/2] ARM SMMUv3: Fix a couple of Coverity issues Eric Auger
2018-05-16 18:03 ` [Qemu-devel] [PATCH 1/2] hw/arm/smmuv3: Fix Coverity issue in smmuv3_record_event Eric Auger
@ 2018-05-16 18:03 ` Eric Auger
2018-05-16 16:16 ` [Qemu-devel] [Qemu-arm] " Philippe Mathieu-Daudé
2018-05-17 15:37 ` [Qemu-devel] [PATCH 0/2] ARM SMMUv3: Fix a couple of Coverity issues Peter Maydell
2 siblings, 1 reply; 9+ messages in thread
From: Eric Auger @ 2018-05-16 18:03 UTC (permalink / raw)
To: eric.auger.pro, eric.auger, qemu-devel, qemu-arm, peter.maydell
Coverity points out that this can overflow if n > 31,
because it's only doing 32-bit arithmetic. Let's use 1ULL instead
of 1. Also the formulae used to compute n can be replaced by
the level_shift() macro.
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Eric Auger <eric.auger@redhat.com>
---
hw/arm/smmu-common.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
index 01c7be8..3c5f724 100644
--- a/hw/arm/smmu-common.c
+++ b/hw/arm/smmu-common.c
@@ -83,9 +83,9 @@ static inline hwaddr get_table_pte_address(uint64_t pte, int granule_sz)
static inline hwaddr get_block_pte_address(uint64_t pte, int level,
int granule_sz, uint64_t *bsz)
{
- int n = (granule_sz - 3) * (4 - level) + 3;
+ int n = level_shift(level, granule_sz);
- *bsz = 1 << n;
+ *bsz = 1ULL << n;
return PTE_ADDRESS(pte, n);
}
--
1.8.3.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [Qemu-arm] [PATCH 2/2] hw/arm/smmu-common: Fix coverity issue in get_block_pte_address
2018-05-16 16:23 ` Peter Maydell
@ 2018-05-16 20:01 ` Philippe Mathieu-Daudé
2018-05-17 7:07 ` Auger Eric
0 siblings, 1 reply; 9+ messages in thread
From: Philippe Mathieu-Daudé @ 2018-05-16 20:01 UTC (permalink / raw)
To: Peter Maydell; +Cc: Eric Auger, Eric Auger, QEMU Developers, qemu-arm
On 05/16/2018 01:23 PM, Peter Maydell wrote:
> On 16 May 2018 at 16:16, Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
>> Hi Eric,
>>
>> On 05/16/2018 03:03 PM, Eric Auger wrote:
>>> Coverity points out that this can overflow if n > 31,
>>> because it's only doing 32-bit arithmetic. Let's use 1ULL instead
>>> of 1. Also the formulae used to compute n can be replaced by
>>> the level_shift() macro.
>>
>> This level_shift() replacement doesn't seems that obvious to me, can you
>> split it in another patch?
>>
>>>
>>> Reported-by: Peter Maydell <peter.maydell@linaro.org>
>>> Signed-off-by: Eric Auger <eric.auger@redhat.com>
>>> ---
>>> hw/arm/smmu-common.c | 4 ++--
>>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
>>> index 01c7be8..3c5f724 100644
>>> --- a/hw/arm/smmu-common.c
>>> +++ b/hw/arm/smmu-common.c
>>> @@ -83,9 +83,9 @@ static inline hwaddr get_table_pte_address(uint64_t pte, int granule_sz)
>>> static inline hwaddr get_block_pte_address(uint64_t pte, int level,
>>> int granule_sz, uint64_t *bsz)
>>> {
>>> - int n = (granule_sz - 3) * (4 - level) + 3;
>>> + int n = level_shift(level, granule_sz);
>>
>> Shouldn't this be level_shift(level + 1, granule_sz)?
>
> No. The two expressions are equivalent, they're
> just arranged differently:
>
> level_shift(lvl, gsz)
> == gsz + (3 - lvl) * (gsz - 3)
> == gsz + (4 - lvl) * (gsz - 3) - (gsz - 3)
> == gsz - gsz + (4 - lvl) * (gsz - 3) + 3
> == (gsz - 3) * (4 - lvl) + 3
Argh I failed this middle school demonstrations...
Thanks Peter :)
So for the much cleaner level_shift() use:
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [Qemu-arm] [PATCH 2/2] hw/arm/smmu-common: Fix coverity issue in get_block_pte_address
2018-05-16 20:01 ` Philippe Mathieu-Daudé
@ 2018-05-17 7:07 ` Auger Eric
0 siblings, 0 replies; 9+ messages in thread
From: Auger Eric @ 2018-05-17 7:07 UTC (permalink / raw)
To: Philippe Mathieu-Daudé, Peter Maydell
Cc: qemu-arm, QEMU Developers, Eric Auger
Hi Philippe,
On 05/16/2018 10:01 PM, Philippe Mathieu-Daudé wrote:
> On 05/16/2018 01:23 PM, Peter Maydell wrote:
>> On 16 May 2018 at 16:16, Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
>>> Hi Eric,
>>>
>>> On 05/16/2018 03:03 PM, Eric Auger wrote:
>>>> Coverity points out that this can overflow if n > 31,
>>>> because it's only doing 32-bit arithmetic. Let's use 1ULL instead
>>>> of 1. Also the formulae used to compute n can be replaced by
>>>> the level_shift() macro.
>>>
>>> This level_shift() replacement doesn't seems that obvious to me, can you
>>> split it in another patch?
>>>
>>>>
>>>> Reported-by: Peter Maydell <peter.maydell@linaro.org>
>>>> Signed-off-by: Eric Auger <eric.auger@redhat.com>
>>>> ---
>>>> hw/arm/smmu-common.c | 4 ++--
>>>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
>>>> index 01c7be8..3c5f724 100644
>>>> --- a/hw/arm/smmu-common.c
>>>> +++ b/hw/arm/smmu-common.c
>>>> @@ -83,9 +83,9 @@ static inline hwaddr get_table_pte_address(uint64_t pte, int granule_sz)
>>>> static inline hwaddr get_block_pte_address(uint64_t pte, int level,
>>>> int granule_sz, uint64_t *bsz)
>>>> {
>>>> - int n = (granule_sz - 3) * (4 - level) + 3;
>>>> + int n = level_shift(level, granule_sz);
>>>
>>> Shouldn't this be level_shift(level + 1, granule_sz)?
>>
>> No. The two expressions are equivalent, they're
>> just arranged differently:
>>
>> level_shift(lvl, gsz)
>> == gsz + (3 - lvl) * (gsz - 3)
>> == gsz + (4 - lvl) * (gsz - 3) - (gsz - 3)
>> == gsz - gsz + (4 - lvl) * (gsz - 3) + 3
>> == (gsz - 3) * (4 - lvl) + 3
>
> Argh I failed this middle school demonstrations...
>
> Thanks Peter :)
>
> So for the much cleaner level_shift() use:
> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Thank you for the review!
Eric
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [PATCH 0/2] ARM SMMUv3: Fix a couple of Coverity issues
2018-05-16 18:03 [Qemu-devel] [PATCH 0/2] ARM SMMUv3: Fix a couple of Coverity issues Eric Auger
2018-05-16 18:03 ` [Qemu-devel] [PATCH 1/2] hw/arm/smmuv3: Fix Coverity issue in smmuv3_record_event Eric Auger
2018-05-16 18:03 ` [Qemu-devel] [PATCH 2/2] hw/arm/smmu-common: Fix coverity issue in get_block_pte_address Eric Auger
@ 2018-05-17 15:37 ` Peter Maydell
2 siblings, 0 replies; 9+ messages in thread
From: Peter Maydell @ 2018-05-17 15:37 UTC (permalink / raw)
To: Eric Auger; +Cc: Eric Auger, QEMU Developers, qemu-arm
On 16 May 2018 at 19:03, Eric Auger <eric.auger@redhat.com> wrote:
> This series includes 2 patches that fix Coverity issues respectively
> in smmuv3 and smmu-common code.
>
> Eric Auger (2):
> hw/arm/smmuv3: Fix Coverity issue in smmuv3_record_event
> hw/arm/smmu-common: Fix coverity issue in get_block_pte_address
>
> hw/arm/smmu-common.c | 4 ++--
> hw/arm/smmuv3.c | 2 +-
> 2 files changed, 3 insertions(+), 3 deletions(-)
>
> --
Applied to target-arm.next, thanks.
-- PMM
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2018-05-17 15:38 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-16 18:03 [Qemu-devel] [PATCH 0/2] ARM SMMUv3: Fix a couple of Coverity issues Eric Auger
2018-05-16 18:03 ` [Qemu-devel] [PATCH 1/2] hw/arm/smmuv3: Fix Coverity issue in smmuv3_record_event Eric Auger
2018-05-16 16:02 ` [Qemu-devel] [Qemu-arm] " Philippe Mathieu-Daudé
2018-05-16 18:03 ` [Qemu-devel] [PATCH 2/2] hw/arm/smmu-common: Fix coverity issue in get_block_pte_address Eric Auger
2018-05-16 16:16 ` [Qemu-devel] [Qemu-arm] " Philippe Mathieu-Daudé
2018-05-16 16:23 ` Peter Maydell
2018-05-16 20:01 ` Philippe Mathieu-Daudé
2018-05-17 7:07 ` Auger Eric
2018-05-17 15:37 ` [Qemu-devel] [PATCH 0/2] ARM SMMUv3: Fix a couple of Coverity issues Peter Maydell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.