[Qemu-devel] [PATCH v2 0/2] xen_pt: fix two Coverity defects

[Qemu-devel] [PATCH v2 0/2] xen_pt: fix two Coverity defects

[arei.gonglei]

From: Gonglei <arei.gonglei@huawei.com>

v2 -> v1:
 - change the method of check in patch 2.(Stefano)
 - add ACK of Stefano in patch 1.

Gonglei (2):
  xen-pt: fix Negative array index read
  xen-pt: fix Out-of-bounds read

 hw/xen/xen_pt_config_init.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

-- 
1.7.12.4

[Qemu-devel] [PATCH v2 1/2] xen-pt: fix Negative array index read

[arei.gonglei]

From: Gonglei <arei.gonglei@huawei.com>

Coverity spot:
Function xen_pt_bar_offset_to_index() may returns a negative
number (-1) value index, which as an index to array d->io_regions.

Let's directly and simply pass index as an argument to
xen_pt_bar_reg_parse().

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
---
 hw/xen/xen_pt_config_init.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/hw/xen/xen_pt_config_init.c b/hw/xen/xen_pt_config_init.c
index de9a20f..710fe50 100644
--- a/hw/xen/xen_pt_config_init.c
+++ b/hw/xen/xen_pt_config_init.c
@@ -360,15 +360,13 @@ static uint64_t xen_pt_get_bar_size(PCIIORegion *r)
 }
 
 static XenPTBarFlag xen_pt_bar_reg_parse(XenPCIPassthroughState *s,
-                                         XenPTRegInfo *reg)
+                                         int index)
 {
     PCIDevice *d = &s->dev;
     XenPTRegion *region = NULL;
     PCIIORegion *r;
-    int index = 0;
 
     /* check 64bit BAR */
-    index = xen_pt_bar_offset_to_index(reg->offset);
     if ((0 < index) && (index < PCI_ROM_SLOT)) {
         int type = s->real_device.io_regions[index - 1].type;
 
@@ -422,7 +420,7 @@ static int xen_pt_bar_reg_init(XenPCIPassthroughState *s, XenPTRegInfo *reg,
     }
 
     /* set BAR flag */
-    s->bases[index].bar_flag = xen_pt_bar_reg_parse(s, reg);
+    s->bases[index].bar_flag = xen_pt_bar_reg_parse(s, index);
     if (s->bases[index].bar_flag == XEN_PT_BAR_FLAG_UNUSED) {
         reg_field = XEN_PT_INVALID_REG;
     }
-- 
1.7.12.4

[Qemu-devel] [PATCH v2 2/2] xen-pt: fix Out-of-bounds read

[arei.gonglei]

From: Gonglei <arei.gonglei@huawei.com>

The array length of s->real_device.io_regions[] is
"PCI_NUM_REGIONS - 1".

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
---
 hw/xen/xen_pt_config_init.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/xen/xen_pt_config_init.c b/hw/xen/xen_pt_config_init.c
index 710fe50..d99c22e 100644
--- a/hw/xen/xen_pt_config_init.c
+++ b/hw/xen/xen_pt_config_init.c
@@ -438,7 +438,7 @@ static int xen_pt_bar_reg_read(XenPCIPassthroughState *s, XenPTReg *cfg_entry,
 
     /* get BAR index */
     index = xen_pt_bar_offset_to_index(reg->offset);
-    if (index < 0 || index >= PCI_NUM_REGIONS) {
+    if (index < 0 || index >= PCI_NUM_REGIONS - 1) {
         XEN_PT_ERR(&s->dev, "Internal error: Invalid BAR index [%d].\n", index);
         return -1;
     }
-- 
1.7.12.4

Re: [Qemu-devel] [PATCH v2 2/2] xen-pt: fix Out-of-bounds read

[Stefano Stabellini]

On Tue, 10 Feb 2015, arei.gonglei@huawei.com wrote:
> From: Gonglei <arei.gonglei@huawei.com>
> 
> The array length of s->real_device.io_regions[] is
> "PCI_NUM_REGIONS - 1".
> 
> Signed-off-by: Gonglei <arei.gonglei@huawei.com>

Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>

I am happy for these patches to go in via the qemu-trivial tree.

>  hw/xen/xen_pt_config_init.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/xen/xen_pt_config_init.c b/hw/xen/xen_pt_config_init.c
> index 710fe50..d99c22e 100644
> --- a/hw/xen/xen_pt_config_init.c
> +++ b/hw/xen/xen_pt_config_init.c
> @@ -438,7 +438,7 @@ static int xen_pt_bar_reg_read(XenPCIPassthroughState *s, XenPTReg *cfg_entry,
>  
>      /* get BAR index */
>      index = xen_pt_bar_offset_to_index(reg->offset);
> -    if (index < 0 || index >= PCI_NUM_REGIONS) {
> +    if (index < 0 || index >= PCI_NUM_REGIONS - 1) {
>          XEN_PT_ERR(&s->dev, "Internal error: Invalid BAR index [%d].\n", index);
>          return -1;
>      }
> -- 
> 1.7.12.4
> 
> 

Re: [Qemu-devel] [PATCH v2 2/2] xen-pt: fix Out-of-bounds read

[Gonglei]

On 2015/2/10 16:11, Stefano Stabellini wrote:
> On Tue, 10 Feb 2015, arei.gonglei@huawei.com wrote:
>> From: Gonglei <arei.gonglei@huawei.com>
>>
>> The array length of s->real_device.io_regions[] is
>> "PCI_NUM_REGIONS - 1".
>>
>> Signed-off-by: Gonglei <arei.gonglei@huawei.com>
> 
> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
> 
> I am happy for these patches to go in via the qemu-trivial tree.
> 
Thanks. Let me cc /mjt.

Regards,
-Gonglei
>>  hw/xen/xen_pt_config_init.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/hw/xen/xen_pt_config_init.c b/hw/xen/xen_pt_config_init.c
>> index 710fe50..d99c22e 100644
>> --- a/hw/xen/xen_pt_config_init.c
>> +++ b/hw/xen/xen_pt_config_init.c
>> @@ -438,7 +438,7 @@ static int xen_pt_bar_reg_read(XenPCIPassthroughState *s, XenPTReg *cfg_entry,
>>  
>>      /* get BAR index */
>>      index = xen_pt_bar_offset_to_index(reg->offset);
>> -    if (index < 0 || index >= PCI_NUM_REGIONS) {
>> +    if (index < 0 || index >= PCI_NUM_REGIONS - 1) {
>>          XEN_PT_ERR(&s->dev, "Internal error: Invalid BAR index [%d].\n", index);
>>          return -1;
>>      }
>> -- 
>> 1.7.12.4
>>
>>

Re: [Qemu-devel] [PATCH v2 0/2] xen_pt: fix two Coverity defects

[Michael Tokarev]

Applied both to -trivial, with minor commit message wording
fix for 1/1.

Thanks,

/mjt