diff options
| author | Maciej S. Szmigiero <maciej.szmigiero@oracle.com> | 2023-11-13 20:00:51 +0100 |
|---|---|---|
| committer | Maciej S. Szmigiero <maciej.szmigiero@oracle.com> | 2024-03-08 14:18:56 +0100 |
| commit | 546987284a7da9106bbead1063553cbfe7ddd697 (patch) | |
| tree | 8007b751492ae3fe36958e700d09d955810babf0 /hw/hyperv | |
| parent | 1d3b82eabb1ad6b6fdeae0d94f2fb37506a351af (diff) | |
| download | qemu-546987284a7da9106bbead1063553cbfe7ddd697.zip qemu-546987284a7da9106bbead1063553cbfe7ddd697.tar.gz qemu-546987284a7da9106bbead1063553cbfe7ddd697.tar.bz2 | |
hv-balloon: define dm_hot_add_with_region to avoid Coverity warning
Since the presence of a hot add memory region is optional in hot add
request message it wasn't part of this message declaration
(struct dm_hot_add).
Instead, the code allocated such enlarged message by simply adding the
necessary size for this extra field to the size of basic hot add message
struct.
However, Coverity considers accessing this extra member to be
an out-of-bounds access, even thought the memory is actually there.
Fix this by adding an extended variant of this message that explicitly has
an additional union dm_mem_page_range at its end.
CID: #1523903
Signed-off-by: Maciej S. Szmigiero <maciej.szmigiero@oracle.com>
Diffstat (limited to 'hw/hyperv')
| -rw-r--r-- | hw/hyperv/hv-balloon.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/hw/hyperv/hv-balloon.c b/hw/hyperv/hv-balloon.c index 35333da..3a9ef07 100644 --- a/hw/hyperv/hv-balloon.c +++ b/hw/hyperv/hv-balloon.c @@ -513,8 +513,8 @@ ret_idle: static void hv_balloon_hot_add_rb_wait(HvBalloon *balloon, StateDesc *stdesc) { VMBusChannel *chan = hv_balloon_get_channel(balloon); - struct dm_hot_add *ha; - size_t ha_size = sizeof(*ha) + sizeof(ha->range); + struct dm_hot_add_with_region *ha; + size_t ha_size = sizeof(*ha); assert(balloon->state == S_HOT_ADD_RB_WAIT); @@ -530,8 +530,8 @@ static void hv_balloon_hot_add_posting(HvBalloon *balloon, StateDesc *stdesc) PageRange *hot_add_range = &balloon->hot_add_range; uint64_t *current_count = &balloon->ha_current_count; VMBusChannel *chan = hv_balloon_get_channel(balloon); - g_autofree struct dm_hot_add *ha = NULL; - size_t ha_size = sizeof(*ha) + sizeof(ha->range); + g_autofree struct dm_hot_add_with_region *ha = NULL; + size_t ha_size = sizeof(*ha); union dm_mem_page_range *ha_region; uint64_t align, chunk_max_size; ssize_t ret; @@ -560,7 +560,7 @@ static void hv_balloon_hot_add_posting(HvBalloon *balloon, StateDesc *stdesc) *current_count = MIN(hot_add_range->count, chunk_max_size); ha = g_malloc0(ha_size); - ha_region = &(&ha->range)[1]; + ha_region = &ha->region; ha->hdr.type = DM_MEM_HOT_ADD_REQUEST; ha->hdr.size = ha_size; ha->hdr.trans_id = balloon->trans_id; |