diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2024-07-23 14:10:27 +0100 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2024-07-29 16:55:59 +0100 |
| commit | 32f1c201eedf992c2ac8033d8af95f1ff1758a4d (patch) | |
| tree | 244d5aee5b976ca75568dcd94d0ab06052f9b02d /module-common.c | |
| parent | 0892fffc2abaadfb5d8b79bb0250ae1794862560 (diff) | |
| download | qemu-32f1c201eedf992c2ac8033d8af95f1ff1758a4d.zip qemu-32f1c201eedf992c2ac8033d8af95f1ff1758a4d.tar.gz qemu-32f1c201eedf992c2ac8033d8af95f1ff1758a4d.tar.bz2 | |
hw/misc/bcm2835_property: Avoid overflow in OTP access properties
Coverity points out that in our handling of the property
RPI_FWREQ_SET_CUSTOMER_OTP we have a potential overflow. This
happens because we read start_num and number from the guest as
unsigned 32 bit integers, but then the variable 'n' we use as a loop
counter as we iterate from start_num to start_num + number is only an
"int". That means that if the guest passes us a very large start_num
we will interpret it as negative. This will result in an assertion
failure inside bcm2835_otp_set_row(), which checks that we didn't
pass it an invalid row number.
A similar issue applies to all the properties for accessing OTP rows
where we are iterating through with a start and length read from the
guest.
Use uint32_t for the loop counter to avoid this problem. Because in
all cases 'n' is only used as a loop counter, we can do this as
part of the for(), restricting its scope to exactly where we need it.
Resolves: Coverity CID 1549401
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20240723131029.1159908-3-peter.maydell@linaro.org
Diffstat (limited to 'module-common.c')
0 files changed, 0 insertions, 0 deletions