From 8ccd35f25cdf2e03f44585a11b7daf93d1d46a3a Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Mon, 21 Jul 2025 10:07:53 +0100 Subject: hw/misc/ivshmem-pci: Improve error handling Coverity points out that the ivshmem-pci code has some error handling cases where it incorrectly tries to use an invalid filedescriptor. These generally happen because ivshmem_recv_msg() calls qemu_chr_fe_get_msgfd(), which might return -1, but the code in process_msg() generally assumes that the file descriptor was provided when it was supposed to be. In particular: * the error case in process_msg() only needs to close the fd if one was provided * process_msg_shmem() should fail if no fd was provided Coverity: CID 1508726 Signed-off-by: Peter Maydell Reviewed-by: Markus Armbruster Message-id: 20250711145012.1521936-1-peter.maydell@linaro.org --- hw/misc/ivshmem-pci.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'hw/misc') diff --git a/hw/misc/ivshmem-pci.c b/hw/misc/ivshmem-pci.c index 5a10bca..d47ae73 100644 --- a/hw/misc/ivshmem-pci.c +++ b/hw/misc/ivshmem-pci.c @@ -479,6 +479,11 @@ static void process_msg_shmem(IVShmemState *s, int fd, Error **errp) struct stat buf; size_t size; + if (fd < 0) { + error_setg(errp, "server didn't provide fd with shared memory message"); + return; + } + if (s->ivshmem_bar2) { error_setg(errp, "server sent unexpected shared memory message"); close(fd); @@ -553,7 +558,9 @@ static void process_msg(IVShmemState *s, int64_t msg, int fd, Error **errp) if (msg < -1 || msg > IVSHMEM_MAX_PEERS) { error_setg(errp, "server sent invalid message %" PRId64, msg); - close(fd); + if (fd >= 0) { + close(fd); + } return; } -- cgit v1.1 From 30dbcd9283988ba352181cb42c6a69ae32075363 Mon Sep 17 00:00:00 2001 From: Jackson Donaldson Date: Mon, 21 Jul 2025 10:07:53 +0100 Subject: hw/misc/max78000_aes: Comment Internal Key Storage Coverity Scan noted an unusual pattern in the MAX78000 aes device, with duplicated calls to set_decrypt. This commit adds a comment noting why the implementation is correct. Signed-off-by: Jackson Donaldson Message-id: 20250716002622.84685-1-jcksn@duck.com Reviewed-by: Peter Maydell Signed-off-by: Peter Maydell --- hw/misc/max78000_aes.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'hw/misc') diff --git a/hw/misc/max78000_aes.c b/hw/misc/max78000_aes.c index 0bfb2f0..d883ddd 100644 --- a/hw/misc/max78000_aes.c +++ b/hw/misc/max78000_aes.c @@ -79,6 +79,12 @@ static void max78000_aes_do_crypto(Max78000AesState *s) keydata += 8; } + /* + * The MAX78000 AES engine stores an internal key, which it uses only + * for decryption. This results in the slighly odd looking pairs of + * set_encrypt and set_decrypt calls below; s->internal_key is + * being stored for later use in both cases. + */ AES_KEY key; if ((s->ctrl & TYPE) == 0) { AES_set_encrypt_key(keydata, keylen, &key); -- cgit v1.1