| Message ID | 20241226141626.28722-1-tsogomonian@astralinux.ru (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | hw/misc: cast nand_getio value to uint64_t | expand |
Tigran Sogomonian <tsogomonian@astralinux.ru> writes: > s->buswidth = nand_flash_ids[s->chip_id].width >> 3; > <= 16 >> 3 <= 2. > x <= s->ioaddr[offset] << (s->buswidth << 3) > <= max_uint8_t << 16 > With x << 24 overflow is possible. > Other cases are similar. > Thus, need to cast return value to uint64_t. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Signed-off-by: Tigran Sogomonian <tsogomonian@astralinux.ru> This code was removed in 192f75ad11 (hw/misc: Remove omap_gpmc)
27/12/24 01:49, Alex Bennée пишет: > Tigran Sogomonian <tsogomonian@astralinux.ru> writes: > >> s->buswidth = nand_flash_ids[s->chip_id].width >> 3; >> <= 16 >> 3 <= 2. >> x <= s->ioaddr[offset] << (s->buswidth << 3) >> <= max_uint8_t << 16 >> With x << 24 overflow is possible. >> Other cases are similar. >> Thus, need to cast return value to uint64_t. >> >> Found by Linux Verification Center (linuxtesting.org) with SVACE. >> >> Signed-off-by: Tigran Sogomonian <tsogomonian@astralinux.ru> > This code was removed in 192f75ad11 (hw/misc: Remove omap_gpmc) Yes, I saw that upstream master doesn't have this code, but some users use stable-9.1. I suggest adding these changes not to the main branch, but to the stable-9.1 branch.
diff --git a/hw/misc/omap_gpmc.c b/hw/misc/omap_gpmc.c index 67158eb164..b0a48c71de 100644 --- a/hw/misc/omap_gpmc.c +++ b/hw/misc/omap_gpmc.c @@ -139,8 +139,8 @@ static uint64_t omap_nand_read(void *opaque, hwaddr addr, if (size == 2) { return v; } - v |= (nand_getio(f->dev) << 16); - v |= (nand_getio(f->dev) << 24); + v |= ((uint64_t)nand_getio(f->dev) << 16); + v |= ((uint64_t)nand_getio(f->dev) << 24); return v; case OMAP_GPMC_16BIT: v = nand_getio(f->dev); @@ -151,7 +151,7 @@ static uint64_t omap_nand_read(void *opaque, hwaddr addr, if (size == 2) { return v; } - v |= (nand_getio(f->dev) << 16); + v |= ((uint64_t)nand_getio(f->dev) << 16); return v; default: abort();
s->buswidth = nand_flash_ids[s->chip_id].width >> 3; <= 16 >> 3 <= 2. x <= s->ioaddr[offset] << (s->buswidth << 3) <= max_uint8_t << 16 With x << 24 overflow is possible. Other cases are similar. Thus, need to cast return value to uint64_t. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Tigran Sogomonian <tsogomonian@astralinux.ru> --- hw/misc/omap_gpmc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)