Re: [Qemu-devel] [PULL 30/50] spapr: Generate FDT fragment for LMBs at configure connector time

Peter Maydell Tue, 05 Mar 2019 08:11:20 -0800

On Tue, 26 Feb 2019 at 04:53, David Gibson <da...@gibson.dropbear.id.au> wrote:
>
> From: Greg Kurz <gr...@kaod.org>



Hi -- Coverity points out a possible overflow here (CID 1399145):

> diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
> index 00eb3b643c..b92deee771 100644
> --- a/hw/ppc/spapr.c
> +++ b/hw/ppc/spapr.c
> @@ -3333,14 +3333,26 @@ static void spapr_nmi(NMIState *n, int cpu_index, 
> Error **errp)
>      }
>  }
>
> +int spapr_lmb_dt_populate(sPAPRDRConnector *drc, sPAPRMachineState *spapr,
> +                          void *fdt, int *fdt_start_offset, Error **errp)
> +{
> +    uint64_t addr;
> +    uint32_t node;
> +
> +    addr = spapr_drc_index(drc) * SPAPR_MEMORY_BLOCK_SIZE;

This multiplication is done as a 32x32, which might overflow and
be truncated before the result is put into the 64-bit result.
Casting one side or the other to uint64_t would fix this.

thanks
-- PMM

Re: [Qemu-devel] [PULL 30/50] spapr: Generate FDT fragment for LMBs at configure connector time

Reply via email to