diff mbox series

[3/3] hw/nubus/nubus-device: Range check 'slot' property

Message ID 20240830173452.2086140-4-peter.maydell@linaro.org (mailing list archive)
State New, archived
Headers show
Series m68k: Fix a couple of Coverity nits | expand

Commit Message

Peter Maydell Aug. 30, 2024, 5:34 p.m. UTC
The TYPE_NUBUS_DEVICE class lets the user specify the nubus slot
using an int32 "slot" QOM property.  Its realize method doesn't do
any range checking on this value, which Coverity notices by way of
the possibility that 'nd->slot * NUBUS_SUPER_SLOT_SIZE' might
overflow the 32-bit arithmetic it is using.

Constrain the slot value to be less than NUBUS_SLOT_NB (16).

Resolves: Coverity CID 1464070
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/nubus/nubus-device.c | 7 +++++++
 1 file changed, 7 insertions(+)

Comments

Thomas Huth Aug. 30, 2024, 10:03 p.m. UTC | #1
Am Fri, 30 Aug 2024 18:34:52 +0100
schrieb Peter Maydell <peter.maydell@linaro.org>:

> The TYPE_NUBUS_DEVICE class lets the user specify the nubus slot
> using an int32 "slot" QOM property.  Its realize method doesn't do
> any range checking on this value, which Coverity notices by way of
> the possibility that 'nd->slot * NUBUS_SUPER_SLOT_SIZE' might
> overflow the 32-bit arithmetic it is using.
> 
> Constrain the slot value to be less than NUBUS_SLOT_NB (16).
> 
> Resolves: Coverity CID 1464070
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
>  hw/nubus/nubus-device.c | 7 +++++++
>  1 file changed, 7 insertions(+)

Reviewed-by: Thomas Huth <huth@tuxfamily.org>
Mark Cave-Ayland Sept. 1, 2024, 12:13 p.m. UTC | #2
On 30/08/2024 18:34, Peter Maydell wrote:

> The TYPE_NUBUS_DEVICE class lets the user specify the nubus slot
> using an int32 "slot" QOM property.  Its realize method doesn't do
> any range checking on this value, which Coverity notices by way of
> the possibility that 'nd->slot * NUBUS_SUPER_SLOT_SIZE' might
> overflow the 32-bit arithmetic it is using.
> 
> Constrain the slot value to be less than NUBUS_SLOT_NB (16).
> 
> Resolves: Coverity CID 1464070
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
>   hw/nubus/nubus-device.c | 7 +++++++
>   1 file changed, 7 insertions(+)
> 
> diff --git a/hw/nubus/nubus-device.c b/hw/nubus/nubus-device.c
> index be4cb246966..26fbcf29a2b 100644
> --- a/hw/nubus/nubus-device.c
> +++ b/hw/nubus/nubus-device.c
> @@ -35,6 +35,13 @@ static void nubus_device_realize(DeviceState *dev, Error **errp)
>       uint8_t *rom_ptr;
>       int ret;
>   
> +    if (nd->slot < 0 || nd->slot >= NUBUS_SLOT_NB) {
> +        error_setg(errp,
> +                   "'slot' value %d out of range (must be between 0 and %d)",
> +                   nd->slot, NUBUS_SLOT_NB - 1);
> +        return;
> +    }
> +
>       /* Super */
>       slot_offset = nd->slot * NUBUS_SUPER_SLOT_SIZE;

Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>


ATB,

Mark.
diff mbox series

Patch

diff --git a/hw/nubus/nubus-device.c b/hw/nubus/nubus-device.c
index be4cb246966..26fbcf29a2b 100644
--- a/hw/nubus/nubus-device.c
+++ b/hw/nubus/nubus-device.c
@@ -35,6 +35,13 @@  static void nubus_device_realize(DeviceState *dev, Error **errp)
     uint8_t *rom_ptr;
     int ret;
 
+    if (nd->slot < 0 || nd->slot >= NUBUS_SLOT_NB) {
+        error_setg(errp,
+                   "'slot' value %d out of range (must be between 0 and %d)",
+                   nd->slot, NUBUS_SLOT_NB - 1);
+        return;
+    }
+
     /* Super */
     slot_offset = nd->slot * NUBUS_SUPER_SLOT_SIZE;