diff options
| author | Jeuk Kim <jeuk20.kim@samsung.com> | 2023-09-18 10:02:36 +0900 |
|---|---|---|
| committer | Jeuk Kim <jeuk20.kim@samsung.com> | 2023-10-13 13:56:28 +0900 |
| commit | 97970dae534226f045ff08c77bdb8a25e19fa023 (patch) | |
| tree | 4780b2eb46a658c28186c59fcbc1e4c3f3f8b619 /hw/ufs | |
| parent | 63011373ad22c794a013da69663c03f1297a5c56 (diff) | |
| download | qemu-97970dae534226f045ff08c77bdb8a25e19fa023.zip qemu-97970dae534226f045ff08c77bdb8a25e19fa023.tar.gz qemu-97970dae534226f045ff08c77bdb8a25e19fa023.tar.bz2 | |
hw/ufs: Fix code coverity issues
Fixed four ufs-related coverity issues.
The coverity issues and fixes are as follows
1. CID 1519042: Security issue with the rand() function
Changed to use a fixed value (0xab) instead of rand() as
the value for testing
2. CID 1519043: Dereference after null check
Removed useless (redundant) null checks
3. CID 1519050: Out-of-bounds access issue
Fix to pass an array type variable to find_first_bit and
find_next_bit using DECLARE_BITMAP()
4. CID 1519051: Out-of-bounds read issue
Fix incorrect range check for lun
Fix coverity CID: 1519042 1519043 1519050 1519051
Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com>
Diffstat (limited to 'hw/ufs')
| -rw-r--r-- | hw/ufs/lu.c | 16 | ||||
| -rw-r--r-- | hw/ufs/ufs.c | 10 |
2 files changed, 12 insertions, 14 deletions
diff --git a/hw/ufs/lu.c b/hw/ufs/lu.c index e1c46bd..13b5e37 100644 --- a/hw/ufs/lu.c +++ b/hw/ufs/lu.c @@ -1345,13 +1345,12 @@ static void ufs_lu_realize(SCSIDevice *dev, Error **errp) return; } - if (lu->qdev.conf.blk) { - ctx = blk_get_aio_context(lu->qdev.conf.blk); - aio_context_acquire(ctx); - if (!blkconf_blocksizes(&lu->qdev.conf, errp)) { - goto out; - } + ctx = blk_get_aio_context(lu->qdev.conf.blk); + aio_context_acquire(ctx); + if (!blkconf_blocksizes(&lu->qdev.conf, errp)) { + goto out; } + lu->qdev.blocksize = UFS_BLOCK_SIZE; blk_get_geometry(lu->qdev.conf.blk, &nb_sectors); nb_blocks = nb_sectors / (lu->qdev.blocksize / BDRV_SECTOR_SIZE); @@ -1367,10 +1366,9 @@ static void ufs_lu_realize(SCSIDevice *dev, Error **errp) } ufs_lu_brdv_init(lu, errp); + out: - if (ctx) { - aio_context_release(ctx); - } + aio_context_release(ctx); } static void ufs_lu_unrealize(SCSIDevice *dev) diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c index 0ecedb9..2e6d582 100644 --- a/hw/ufs/ufs.c +++ b/hw/ufs/ufs.c @@ -258,7 +258,7 @@ static void ufs_irq_check(UfsHc *u) static void ufs_process_db(UfsHc *u, uint32_t val) { - unsigned long doorbell; + DECLARE_BITMAP(doorbell, UFS_MAX_NUTRS); uint32_t slot; uint32_t nutrs = u->params.nutrs; UfsRequest *req; @@ -268,8 +268,8 @@ static void ufs_process_db(UfsHc *u, uint32_t val) return; } - doorbell = val; - slot = find_first_bit(&doorbell, nutrs); + doorbell[0] = val; + slot = find_first_bit(doorbell, nutrs); while (slot < nutrs) { req = &u->req_list[slot]; @@ -285,7 +285,7 @@ static void ufs_process_db(UfsHc *u, uint32_t val) trace_ufs_process_db(slot); req->state = UFS_REQUEST_READY; - slot = find_next_bit(&doorbell, nutrs, slot + 1); + slot = find_next_bit(doorbell, nutrs, slot + 1); } qemu_bh_schedule(u->doorbell_bh); @@ -838,7 +838,7 @@ static QueryRespCode ufs_read_unit_desc(UfsRequest *req) uint8_t lun = req->req_upiu.qr.index; if (lun != UFS_UPIU_RPMB_WLUN && - (lun > UFS_MAX_LUS || u->lus[lun] == NULL)) { + (lun >= UFS_MAX_LUS || u->lus[lun] == NULL)) { trace_ufs_err_query_invalid_index(req->req_upiu.qr.opcode, lun); return UFS_QUERY_RESULT_INVALID_INDEX; } |