From patchwork Fri Aug 30 17:34:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 13785399 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 533D4CA0EDC for ; Fri, 30 Aug 2024 17:36:16 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sk5WX-0004y0-5H; Fri, 30 Aug 2024 13:35:01 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sk5WU-0004tY-WD for qemu-devel@nongnu.org; Fri, 30 Aug 2024 13:34:59 -0400 Received: from mail-wm1-x32c.google.com ([2a00:1450:4864:20::32c]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sk5WS-0003O6-Dm for qemu-devel@nongnu.org; Fri, 30 Aug 2024 13:34:58 -0400 Received: by mail-wm1-x32c.google.com with SMTP id 5b1f17b1804b1-42bbf138477so3879995e9.2 for ; Fri, 30 Aug 2024 10:34:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1725039295; x=1725644095; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=hTjpBg36zHF05SzURNvPqThL65TJ1O2Awt657MNLYHU=; b=xfeemnDMuDYtIgYKwmyY0tFEb3fXnUlCDuComNRgG7WlJk5HnFuaxGrT0/QWlDZgwe 7DxcP9mI88A6HQOBrqt/Opl/tPIo/AXdQE+KjuRW78dJowb+o9v9KmzVsrVacde5E28U 3/Bt34M3rBvApMkLx8ybcBRWBGCihiee1ikYcOn13JzMSCzdc+n9dmXv6oGoZ6McqaLm n0oXs3g5U81L1D8qvO0CX1fcFPMF3ka5r0Tt1Ii5LApjkaDe5iSJRh0R9GALXlj410Kc etf9dubqcxzSqf1Zg+f1uVH0Wctq9iOfvkZ8CKsqbk94JHVtgH5LY6PfjlFEqEvb69rC 8owQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725039295; x=1725644095; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hTjpBg36zHF05SzURNvPqThL65TJ1O2Awt657MNLYHU=; b=XFfrbMWx94C21DObZcfFs6bY2VSpMAqR2EaNxof/k991+qcCoJNnMmCmj81naaINE/ fiWpWKkJY6Oal1kspJeGkSdTYqyPV/yi9f6x709HC7HsnstpaWlXYTFBZijfLnHD3wNz s+NM8F7Tt4KSkikByLktxBHHpgTYis9wNQZg9cx3g5aWCdn1nT4+oWF3RgPnKrZfd5Ck 2TIJ3eziBbaFPjp4ZQeiEZOLLxCkhbn89Y7hwERdnFr3HNFLYmjVpxXAMcLW9w8l3vxB Q5VpJj2HpX/+aEbqsxlFP219UrHVjnSpbmw5+vhJbFSg+buqoAMSYabL9HbtaoJ8mREX NDHw== X-Gm-Message-State: AOJu0YwX3K+DVUOEhPYw25rdW3WUpEUdku6r1LYoinpR2GEewRvWqAAc yhw1Z2gvxJv6vDTc1Uh6A3MWbpZaeUbg1CyewLRgn/vHBAd5O4eK29tRxaQTZwE3Fn7H2AfzbJn W X-Google-Smtp-Source: AGHT+IEw7nXy7wC/HQOd12xidkxs57afPG8TDJsTaSB0YKYKddP7cBAZJ/NvBWEUhIN5aT7B8K+VMA== X-Received: by 2002:a05:600c:4f42:b0:42b:b016:94a3 with SMTP id 5b1f17b1804b1-42bb0343a6amr56735035e9.31.1725039294637; Fri, 30 Aug 2024 10:34:54 -0700 (PDT) Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-42bb37f7849sm58471775e9.7.2024.08.30.10.34.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 30 Aug 2024 10:34:54 -0700 (PDT) From: Peter Maydell To: qemu-devel@nongnu.org Cc: Thomas Huth , Laurent Vivier Subject: [PATCH 1/3] hw/m68k/mcf5208: Avoid shifting off end of integer Date: Fri, 30 Aug 2024 18:34:50 +0100 Message-Id: <20240830173452.2086140-2-peter.maydell@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240830173452.2086140-1-peter.maydell@linaro.org> References: <20240830173452.2086140-1-peter.maydell@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::32c; envelope-from=peter.maydell@linaro.org; helo=mail-wm1-x32c.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org In m5208_sys_read(), we have a loop of n from 0 to 31, and we calculate (2u << n). For the n == 31 iteration this will shift off the top of the unsigned 32 bit integer. This is harmless, because we're going to stop the loop with n == 31 anyway, but we can avoid the error by using 64-bit arithmetic here. (The SDCS0 register is documented at https://www.nxp.com/docs/en/reference-manual/MCF5208RM.pdf section 18.4.5; we want the lower 5 bits to indicate the RAM size, where 31 == 4GB, 30 == 2GB, and so on down. As it happens, the layout of the mcf5208evb board memory map means it doesn't make sense to have more than 1GB of RAM in any case.) Resolves: Coverity CID 1547727 Signed-off-by: Peter Maydell Reviewed-by: Thomas Huth --- hw/m68k/mcf5208.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/m68k/mcf5208.c b/hw/m68k/mcf5208.c index ec14096aa43..0ad347dfa81 100644 --- a/hw/m68k/mcf5208.c +++ b/hw/m68k/mcf5208.c @@ -158,7 +158,7 @@ static uint64_t m5208_sys_read(void *opaque, hwaddr addr, { int n; for (n = 0; n < 32; n++) { - if (current_machine->ram_size < (2u << n)) { + if (current_machine->ram_size < (2ULL << n)) { break; } } From patchwork Fri Aug 30 17:34:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 13785396 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id BDCD1CA1009 for ; Fri, 30 Aug 2024 17:35:58 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sk5WZ-00055g-54; Fri, 30 Aug 2024 13:35:03 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sk5WU-0004tS-S6 for qemu-devel@nongnu.org; Fri, 30 Aug 2024 13:34:58 -0400 Received: from mail-wr1-x431.google.com ([2a00:1450:4864:20::431]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sk5WS-0003OB-Vz for qemu-devel@nongnu.org; Fri, 30 Aug 2024 13:34:58 -0400 Received: by mail-wr1-x431.google.com with SMTP id ffacd0b85a97d-371a13c7c80so1948038f8f.0 for ; Fri, 30 Aug 2024 10:34:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1725039295; x=1725644095; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=RAPk9TkgHuJzLy5angeKNdvCxMHfEkd/1HkV7jTog4w=; b=ZTCIBFovd8c3W4PzR9CPh12tME7Vm/uwte82i1x9LsnrRu4ZgYyPZ5gMc6BS2JLPeO I4vsEWVngPrMGYFKlnuPxm/JunRia4Wp3i30Kt2Opgq6yuOTGsIDwyKUGiObrpQx5Vwx CnJijBbyMDp3pzOVxYQ+rBlaAB/u4Z+8ckRj3QWpGPbPaMNjtR1hCYmoHhlJ10KRHkyG 5bsyW4KQcT80SBs+2HGEdPikfI1w6kfwPf58pVL0Ux9RO37BpFa3ZO0gHrPdutsv1Gq0 HnzrL+uOIusRtqrfTs+9sD1onfiHKTN9c1flXSoh6Kk1Aw7e+aWevYHfDFRyuJuohg6/ fmdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725039295; x=1725644095; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RAPk9TkgHuJzLy5angeKNdvCxMHfEkd/1HkV7jTog4w=; b=bZw9B9yUB74nshc6ad7SH+riJqvD9Fakv+54k73G7A/OQWn/Upg6uMBUb9xoai3HE1 P7B9o1yEw+Zs0Hu/E0N6x4yNAV2RMePBY30QxtXVgmUKGijir4jKNG7CAUdIinhUx1z7 R9SZ6bHRZp5QLucxEOJpHXZ7OQ6XBeAypGN+G3XsllJ5wUXquMKyVf6gi/UekLiUVmkk XI3G2kQavUDEIRuDsiF/hY54S+qkzvO5ZI/cnuq9+Y9pXsGWAs1Z0rr49stqjHHJByRD H8M9/Qljtg9ZHbPT3XpaGEDkKoARIWWYRACG9fYb/P9OemH3Qz/8pOWoxFfzwRgXXJLi 2tig== X-Gm-Message-State: AOJu0Yy04pLWLVzL2HaxDaoh4oXa77r2ZDErx9i0K62X2Wfa8LFZdJcV Y2RRWEOyNAstFNI3bc1IhVG8syk8hO9CG4zf8EIPP1+B4/O4p8AV4bLhEVaFwgIRzPKdf9rJzWB 9 X-Google-Smtp-Source: AGHT+IEqtATpvfs6JhyQ68/6pRcxTngQ/JZ/C2J5l2GOC7p3fQk5WWTVZa8M5Xc8NvFloloW+iy69Q== X-Received: by 2002:a05:6000:4020:b0:367:895f:619e with SMTP id ffacd0b85a97d-3749c1c8000mr5273662f8f.11.1725039295167; Fri, 30 Aug 2024 10:34:55 -0700 (PDT) Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-42bb37f7849sm58471775e9.7.2024.08.30.10.34.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 30 Aug 2024 10:34:54 -0700 (PDT) From: Peter Maydell To: qemu-devel@nongnu.org Cc: Thomas Huth , Laurent Vivier Subject: [PATCH 2/3] hw/m68k/mcf5208: Add URLs for datasheets Date: Fri, 30 Aug 2024 18:34:51 +0100 Message-Id: <20240830173452.2086140-3-peter.maydell@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240830173452.2086140-1-peter.maydell@linaro.org> References: <20240830173452.2086140-1-peter.maydell@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::431; envelope-from=peter.maydell@linaro.org; helo=mail-wr1-x431.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org The datasheets for the SoC and board we model here are still available from the NXP website; add their URLs and titles for future reference. Signed-off-by: Peter Maydell Reviewed-by: Thomas Huth --- hw/m68k/mcf5208.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hw/m68k/mcf5208.c b/hw/m68k/mcf5208.c index 0ad347dfa81..b6677ad6bc3 100644 --- a/hw/m68k/mcf5208.c +++ b/hw/m68k/mcf5208.c @@ -4,6 +4,14 @@ * Copyright (c) 2007 CodeSourcery. * * This code is licensed under the GPL + * + * This file models both the MCF5208 SoC, and the + * MCF5208EVB evaluation board. For details see + * + * "MCF5208 Reference Manual" + * https://www.nxp.com/docs/en/reference-manual/MCF5208RM.pdf + * "M5208EVB-RevB 32-bit Microcontroller User Manual" + * https://www.nxp.com/docs/en/reference-manual/M5208EVBUM.pdf */ #include "qemu/osdep.h" From patchwork Fri Aug 30 17:34:52 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 13785398 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id CD8CECA0EDC for ; Fri, 30 Aug 2024 17:36:03 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sk5WX-0004y7-4r; Fri, 30 Aug 2024 13:35:01 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sk5WV-0004uO-9g for qemu-devel@nongnu.org; Fri, 30 Aug 2024 13:34:59 -0400 Received: from mail-wm1-x332.google.com ([2a00:1450:4864:20::332]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sk5WT-0003OI-Nn for qemu-devel@nongnu.org; Fri, 30 Aug 2024 13:34:59 -0400 Received: by mail-wm1-x332.google.com with SMTP id 5b1f17b1804b1-42bb9d719d4so11477475e9.3 for ; Fri, 30 Aug 2024 10:34:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1725039296; x=1725644096; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=iYtUTT0TIbHg3HS+ud7uRweJ2SSTTNwBbnoH0NdYWvc=; b=jeDWUsLOADrSOTOFssZr0iytFfOWu0LwEpagJDuM1BTS7ZgtVGDbPoU6nyqwUfbR+a +cKM6RbBRavoy5yFmqvdKA7PnwrSwokRea0N345m2/0EO9Y2d6dmOalGMYMz1/xOUNq4 eGvbhbq5Ypc2olo7AOD9VLv1HDm16KDPYpTuoiaG+qU3QBj381bA5wB327mpiOpkkkC1 XaYMeLYAhmpJM71Ibm9OaFsQO/NfwazcE/YdcUvgV6r23eB7NV+4L0k52LsUds/MMOyY QvawA6DgihfLTfNBg2q9kAiJwewdILp3ewP9uirpMjlJ/HFOtR+JmemrX7juckRPp1CC 4WEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725039296; x=1725644096; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=iYtUTT0TIbHg3HS+ud7uRweJ2SSTTNwBbnoH0NdYWvc=; b=uqhwH4ztExyUYi/ZmfxXIXIn5LlAbFfHWNU0upC/GNXEbIw9jlHRjZPB2b6quJa4xA O2Y/mLhWK694A72S2AM655W2YI8aGpw9Tcrz8GeajmxSYGK9omgjW330RPXiCDplArRU aS5OuPSTtL9cd20+c53VhcIFR9M47/EMn0GIo2+FhO00whnYZGEz7GazxVRV4zVYCfL3 JLkEEgT75v9UoMAXS7IkXlF0Vf8AO96RQlhW6lUKuZXhVI3oqkAmKzm/C8llEjDYyuMP /ssJZwPHfEe3A5bnjHTsD09qbjSCulOD0HAxL5BYHI7vUmnaEFTUfQS5lEcWjzDEhKqY O7+g== X-Gm-Message-State: AOJu0YxE35HAZfOV32pqBPgAYNqX9fUbCSMx3/LYOmHFDr1nQFnkPDCC D10PzLsaXJqI9vo3YKcfTg1V7VtKsUY0seKsDG8y6e2Kb1xWCO0+1/6qA71mDTlSCAqnh3AZFQ9 X X-Google-Smtp-Source: AGHT+IEmExZPBL/8VPxrKfpAgmuDzp9PdBcQJttyaZhOrK6wQl70Rzk9vQkvtSquN4xBJ4x5wKXUdA== X-Received: by 2002:a5d:66cb:0:b0:373:b44:675 with SMTP id ffacd0b85a97d-3749b544813mr4812902f8f.20.1725039295945; Fri, 30 Aug 2024 10:34:55 -0700 (PDT) Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-42bb37f7849sm58471775e9.7.2024.08.30.10.34.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 30 Aug 2024 10:34:55 -0700 (PDT) From: Peter Maydell To: qemu-devel@nongnu.org Cc: Thomas Huth , Laurent Vivier Subject: [PATCH 3/3] hw/nubus/nubus-device: Range check 'slot' property Date: Fri, 30 Aug 2024 18:34:52 +0100 Message-Id: <20240830173452.2086140-4-peter.maydell@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240830173452.2086140-1-peter.maydell@linaro.org> References: <20240830173452.2086140-1-peter.maydell@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::332; envelope-from=peter.maydell@linaro.org; helo=mail-wm1-x332.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org The TYPE_NUBUS_DEVICE class lets the user specify the nubus slot using an int32 "slot" QOM property. Its realize method doesn't do any range checking on this value, which Coverity notices by way of the possibility that 'nd->slot * NUBUS_SUPER_SLOT_SIZE' might overflow the 32-bit arithmetic it is using. Constrain the slot value to be less than NUBUS_SLOT_NB (16). Resolves: Coverity CID 1464070 Signed-off-by: Peter Maydell Reviewed-by: Thomas Huth Reviewed-by: Mark Cave-Ayland --- hw/nubus/nubus-device.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hw/nubus/nubus-device.c b/hw/nubus/nubus-device.c index be4cb246966..26fbcf29a2b 100644 --- a/hw/nubus/nubus-device.c +++ b/hw/nubus/nubus-device.c @@ -35,6 +35,13 @@ static void nubus_device_realize(DeviceState *dev, Error **errp) uint8_t *rom_ptr; int ret; + if (nd->slot < 0 || nd->slot >= NUBUS_SLOT_NB) { + error_setg(errp, + "'slot' value %d out of range (must be between 0 and %d)", + nd->slot, NUBUS_SLOT_NB - 1); + return; + } + /* Super */ slot_offset = nd->slot * NUBUS_SUPER_SLOT_SIZE;