diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2024-08-30 18:34:52 +0100 |
|---|---|---|
| committer | Thomas Huth <huth@tuxfamily.org> | 2024-09-08 11:49:49 +0200 |
| commit | df827aace663fdd9c432e2ff76fb13d20cbc0ca4 (patch) | |
| tree | 7de5e9ae24e16716faaa3fa01776fe3b65f895a3 | |
| parent | 175f5a5b48033579d4de5c904a9f43c0d327152e (diff) | |
| download | qemu-df827aace663fdd9c432e2ff76fb13d20cbc0ca4.zip qemu-df827aace663fdd9c432e2ff76fb13d20cbc0ca4.tar.gz qemu-df827aace663fdd9c432e2ff76fb13d20cbc0ca4.tar.bz2 | |
hw/nubus/nubus-device: Range check 'slot' property
The TYPE_NUBUS_DEVICE class lets the user specify the nubus slot
using an int32 "slot" QOM property. Its realize method doesn't do
any range checking on this value, which Coverity notices by way of
the possibility that 'nd->slot * NUBUS_SUPER_SLOT_SIZE' might
overflow the 32-bit arithmetic it is using.
Constrain the slot value to be less than NUBUS_SLOT_NB (16).
Resolves: Coverity CID 1464070
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-ID: <20240830173452.2086140-4-peter.maydell@linaro.org>
Reviewed-by: Thomas Huth <huth@tuxfamily.org>
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: Thomas Huth <huth@tuxfamily.org>
| -rw-r--r-- | hw/nubus/nubus-device.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/hw/nubus/nubus-device.c b/hw/nubus/nubus-device.c index be4cb24..26fbcf2 100644 --- a/hw/nubus/nubus-device.c +++ b/hw/nubus/nubus-device.c @@ -35,6 +35,13 @@ static void nubus_device_realize(DeviceState *dev, Error **errp) uint8_t *rom_ptr; int ret; + if (nd->slot < 0 || nd->slot >= NUBUS_SLOT_NB) { + error_setg(errp, + "'slot' value %d out of range (must be between 0 and %d)", + nd->slot, NUBUS_SLOT_NB - 1); + return; + } + /* Super */ slot_offset = nd->slot * NUBUS_SUPER_SLOT_SIZE; |