Google Git
Sign in
qemu / qemu / 32f1c201eedf992c2ac8033d8af95f1ff1758a4d
commit32f1c201eedf992c2ac8033d8af95f1ff1758a4d[log] [tgz]
authorPeter Maydell <peter.maydell@linaro.org>Tue Jul 23 14:10:27 2024 +0100
committerPeter Maydell <peter.maydell@linaro.org>Mon Jul 29 16:55:59 2024 +0100
tree244d5aee5b976ca75568dcd94d0ab06052f9b02d
parent0892fffc2abaadfb5d8b79bb0250ae1794862560 [diff]
hw/misc/bcm2835_property: Avoid overflow in OTP access properties

Coverity points out that in our handling of the property
RPI_FWREQ_SET_CUSTOMER_OTP we have a potential overflow.  This
happens because we read start_num and number from the guest as
unsigned 32 bit integers, but then the variable 'n' we use as a loop
counter as we iterate from start_num to start_num + number is only an
"int".  That means that if the guest passes us a very large start_num
we will interpret it as negative.  This will result in an assertion
failure inside bcm2835_otp_set_row(), which checks that we didn't
pass it an invalid row number.

A similar issue applies to all the properties for accessing OTP rows
where we are iterating through with a start and length read from the
guest.

Use uint32_t for the loop counter to avoid this problem. Because in
all cases 'n' is only used as a loop counter, we can do this as
part of the for(), restricting its scope to exactly where we need it.

Resolves: Coverity CID 1549401
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20240723131029.1159908-3-peter.maydell@linaro.org
1 file changed
tree: 244d5aee5b976ca75568dcd94d0ab06052f9b02d
  1. .github/
  2. .gitlab/
  3. .gitlab-ci.d/
  4. accel/
  5. audio/
  6. authz/
  7. backends/
  8. block/
  9. bsd-user/
  10. chardev/
  11. common-user/
  12. configs/
  13. contrib/
  14. crypto/
  15. disas/
  16. docs/
  17. dump/
  18. ebpf/
  19. fpu/
  20. fsdev/
  21. gdb-xml/
  22. gdbstub/
  23. host/
  24. hw/
  25. include/
  26. io/
  27. libdecnumber/
  28. linux-headers/
  29. linux-user/
  30. migration/
  31. monitor/
  32. nbd/
  33. net/
  34. pc-bios/
  35. plugins/
  36. po/
  37. python/
  38. qapi/
  39. qga/
  40. qobject/
  41. qom/
  42. replay/
  43. roms/
  44. scripts/
  45. scsi/
  46. semihosting/
  47. stats/
  48. storage-daemon/
  49. stubs/
  50. subprojects/
  51. system/
  52. target/
  53. tcg/
  54. tests/
  55. tools/
  56. trace/
  57. ui/
  58. util/
  59. .dir-locals.el
  60. .editorconfig
  61. .exrc
  62. .gdbinit
  63. .git-blame-ignore-revs
  64. .gitattributes
  65. .gitignore
  66. .gitlab-ci.yml
  67. .gitmodules
  68. .gitpublish
  69. .mailmap
  70. .patchew.yml
  71. .readthedocs.yml
  72. .travis.yml
  73. block.c
  74. blockdev-nbd.c
  75. blockdev.c
  76. blockjob.c
  77. configure
  78. COPYING
  79. COPYING.LIB
  80. cpu-common.c
  81. cpu-target.c
  82. event-loop-base.c
  83. gitdm.config
  84. hmp-commands-info.hx
  85. hmp-commands.hx
  86. iothread.c
  87. job-qmp.c
  88. job.c
  89. Kconfig
  90. Kconfig.host
  91. LICENSE
  92. MAINTAINERS
  93. Makefile
  94. meson.build
  95. meson_options.txt
  96. module-common.c
  97. os-posix.c
  98. os-win32.c
  99. page-target.c
  100. page-vary-common.c
  101. page-vary-target.c
  102. pythondeps.toml
  103. qemu-bridge-helper.c
  104. qemu-edid.c
  105. qemu-img-cmds.hx
  106. qemu-img.c
  107. qemu-io-cmds.c
  108. qemu-io.c
  109. qemu-keymap.c
  110. qemu-nbd.c
  111. qemu-options.hx
  112. qemu.nsi
  113. qemu.sasl
  114. README.rst
  115. replication.c
  116. trace-events
  117. VERSION
  118. version.rc