On Tue, 26 Feb 2019 at 04:53, David Gibson <da...@gibson.dropbear.id.au> wrote: > > From: Greg Kurz <gr...@kaod.org>
Hi -- Coverity points out a possible overflow here (CID 1399145): > diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c > index 00eb3b643c..b92deee771 100644 > --- a/hw/ppc/spapr.c > +++ b/hw/ppc/spapr.c > @@ -3333,14 +3333,26 @@ static void spapr_nmi(NMIState *n, int cpu_index, > Error **errp) > } > } > > +int spapr_lmb_dt_populate(sPAPRDRConnector *drc, sPAPRMachineState *spapr, > + void *fdt, int *fdt_start_offset, Error **errp) > +{ > + uint64_t addr; > + uint32_t node; > + > + addr = spapr_drc_index(drc) * SPAPR_MEMORY_BLOCK_SIZE; This multiplication is done as a 32x32, which might overflow and be truncated before the result is put into the 64-bit result. Casting one side or the other to uint64_t would fix this. thanks -- PMM