diff options
author | Klaus Jensen <k.jensen@samsung.com> | 2021-03-12 14:55:29 +0100 |
---|---|---|
committer | Klaus Jensen <k.jensen@samsung.com> | 2021-03-18 12:34:51 +0100 |
commit | 9c62f1efa854e66ebb0650d85918e4fecd3ec648 (patch) | |
tree | 694e900c27622417827de7a8186cef7c3645881c | |
parent | b12498fc575f2ad30f09fe78badc7fef526e2d76 (diff) | |
download | qemu-9c62f1efa854e66ebb0650d85918e4fecd3ec648.zip qemu-9c62f1efa854e66ebb0650d85918e4fecd3ec648.tar.gz qemu-9c62f1efa854e66ebb0650d85918e4fecd3ec648.tar.bz2 |
hw/block/nvme: fix potential overflow
page_size is a uint32_t, and zasl is a uint8_t, so the expression
`page_size << zasl` is done using 32-bit arithmetic and might overflow.
Since we then compare this against a 64 bit data_size value, Coverity
complains that we might overflow unintentionally. An MDTS/ZASL value in
excess of 4GiB is probably impractical, but it is not entirely
unrealistic, so add a cast such that we handle that case properly.
Fixes: 578d914b263c ("hw/block/nvme: align zoned.zasl with mdts")
Fixes: CID 1450756
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
-rw-r--r-- | hw/block/nvme.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/hw/block/nvme.c b/hw/block/nvme.c index d439e44..0d9b980 100644 --- a/hw/block/nvme.c +++ b/hw/block/nvme.c @@ -2188,7 +2188,8 @@ static uint16_t nvme_do_write(NvmeCtrl *n, NvmeRequest *req, bool append, goto invalid; } - if (n->params.zasl && data_size > n->page_size << n->params.zasl) { + if (n->params.zasl && + data_size > (uint64_t)n->page_size << n->params.zasl) { trace_pci_nvme_err_zasl(data_size); return NVME_INVALID_FIELD | NVME_DNR; } |