subject:"\[PATCH 2\/4\] hw\/hppa\/dino\: Fix reg800_keep_bits\[\] overrun \(CID 1419393 \& 1419394\)"

Re: [PATCH 2/4] hw/hppa/dino: Fix reg800_keep_bits[] overrun (CID 1419393 & 1419394)

2020-02-17 Thread Philippe Mathieu-Daudé

On Tue, Feb 18, 2020 at 7:19 AM Philippe Mathieu-Daudé  wrote:
> On Mon, Feb 17, 2020 at 6:37 PM Peter Maydell  
> wrote:
> > On Thu, 13 Feb 2020 at 23:44, Philippe Mathieu-Daudé  
> > wrote:
> >
> >
> > > Fixes: Covertiy CID 1419393 and 1419394 (commit 18092598a5)
> > > Signed-off-by: Philippe Mathieu-Daudé 
> >
> > I think this also fixes CID 1419387 ?
>
> Ah I missed this one, indeed it does.

The description is erroneous, I'll respin.

>
> > thanks
> > -- PMM

Re: [PATCH 2/4] hw/hppa/dino: Fix reg800_keep_bits[] overrun (CID 1419393 & 1419394)

2020-02-17 Thread Philippe Mathieu-Daudé

On Mon, Feb 17, 2020 at 6:37 PM Peter Maydell  wrote:
> On Thu, 13 Feb 2020 at 23:44, Philippe Mathieu-Daudé  wrote:
>
>
> > Fixes: Covertiy CID 1419393 and 1419394 (commit 18092598a5)
> > Signed-off-by: Philippe Mathieu-Daudé 
>
> I think this also fixes CID 1419387 ?

Ah I missed this one, indeed it does.

> thanks
> -- PMM

Re: [PATCH 2/4] hw/hppa/dino: Fix reg800_keep_bits[] overrun (CID 1419393 & 1419394)

2020-02-17 Thread Peter Maydell

On Thu, 13 Feb 2020 at 23:44, Philippe Mathieu-Daudé  wrote:


> Fixes: Covertiy CID 1419393 and 1419394 (commit 18092598a5)
> Signed-off-by: Philippe Mathieu-Daudé 

I think this also fixes CID 1419387 ?

thanks
-- PMM

Re: [PATCH 2/4] hw/hppa/dino: Fix reg800_keep_bits[] overrun (CID 1419393 & 1419394)

2020-02-15 Thread Helge Deller

On 14.02.20 00:41, Philippe Mathieu-Daudé wrote:
>
> Fixes: Covertiy CID 1419393 and 1419394 (commit 18092598a5)
> Signed-off-by: Philippe Mathieu-Daudé 

Acked-by: Helge Deller 

> ---
>  hw/hppa/dino.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/hw/hppa/dino.c b/hw/hppa/dino.c
> index c237ad3b1b..8868e31793 100644
> --- a/hw/hppa/dino.c
> +++ b/hw/hppa/dino.c
> @@ -83,7 +83,7 @@
>  #define DINO_PCI_HOST_BRIDGE(obj) \
>  OBJECT_CHECK(DinoState, (obj), TYPE_DINO_PCI_HOST_BRIDGE)
>
> -#define DINO800_REGS ((DINO_TLTIM - DINO_GMASK) / 4)
> +#define DINO800_REGS (1 + (DINO_TLTIM - DINO_GMASK) / 4)
>  static const uint32_t reg800_keep_bits[DINO800_REGS] = {
>  MAKE_64BIT_MASK(0, 1),  /* GMASK */
>  MAKE_64BIT_MASK(0, 7),  /* PAMR */
> @@ -96,6 +96,7 @@ static const uint32_t reg800_keep_bits[DINO800_REGS] = {
>  MAKE_64BIT_MASK(0, 30), /* BRDG_FEAT */
>  MAKE_64BIT_MASK(0, 25), /* PCIROR */
>  MAKE_64BIT_MASK(0, 22), /* PCIWOR */
> +MAKE_64BIT_MASK(0, 32), /* Undocumented */
>  MAKE_64BIT_MASK(0, 9),  /* TLTIM */
>  };
>
>

[PATCH 2/4] hw/hppa/dino: Fix reg800_keep_bits[] overrun (CID 1419393 & 1419394)

2020-02-13 Thread Philippe Mathieu-Daudé

Coverity reports:

  *** CID 1419393:  Memory - corruptions  (OVERRUN)
  /hw/hppa/dino.c: 363 in dino_chip_write_with_attrs()
  357 /* These registers are read-only.  */
  358 break;
  359
  360 case DINO_GMASK ... DINO_TLTIM:
  361 i = (addr - DINO_GMASK) / 4;
  362 val &= reg800_keep_bits[i];
  >>> CID 1419393:  Memory - corruptions  (OVERRUN)
  >>> Overrunning array "s->reg800" of 12 4-byte elements at element index 
12 (byte offset 48) using index "i" (which evaluates to 12).
  363 s->reg800[i] = val;
  364 break;
  365
  366 default:
  367 /* Controlled by dino_chip_mem_valid above.  */
  368 g_assert_not_reached();

and:

  *** CID 1419394:  Memory - illegal accesses  (OVERRUN)
  /hw/hppa/dino.c: 362 in dino_chip_write_with_attrs()
  356 case DINO_IRR1:
  357 /* These registers are read-only.  */
  358 break;
  359
  360 case DINO_GMASK ... DINO_TLTIM:
  361 i = (addr - DINO_GMASK) / 4;
  >>> CID 1419394:  Memory - illegal accesses  (OVERRUN)
  >>> Overrunning array "reg800_keep_bits" of 12 4-byte elements at element 
index 12 (byte offset 48) using index "i" (which evaluates to 12).
  362 val &= reg800_keep_bits[i];
  363 s->reg800[i] = val;
  364 break;
  365
  366 default:
  367 /* Controlled by dino_chip_mem_valid above.  */

Indeed the array should contain 13 entries, the undocumented
register 0x82c is missing. Fix by increasing the array size
and adding the missing register.

CID 1419393 can be verified with:

  $ echo x 0xfff80830 | hppa-softmmu/qemu-system-hppa -S -monitor stdio 
-display none
  QEMU 4.2.50 monitor - type 'help' for more information
  (qemu) x 0xfff80830
  qemu/hw/hppa/dino.c:267:15: runtime error: index 12 out of bounds for type 
'uint32_t [12]'
  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/home/phil/source/qemu/hw/hppa/dino.c:267:15 in
  fff80830: 0x

and CID 1419394 with:

  $ echo writeb 0xfff80830 0x69 \
| hppa-softmmu/qemu-system-hppa -S -accel qtest -qtest stdio -display none
  [I 1581634452.654113] OPENED
  [R +4.105415] writeb 0xfff80830 0x69
  qemu/hw/hppa/dino.c:362:16: runtime error: index 12 out of bounds for type 
'const uint32_t [12]'
  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
qemu/hw/hppa/dino.c:362:16 in
  =
  ==29607==ERROR: AddressSanitizer: global-buffer-overflow on address 
0x5577dae32f30 at pc 0x5577d93f2463 bp 0x7ffd97ea11b0 sp 0x7ffd97ea11a8
  READ of size 4 at 0x5577dae32f30 thread T0
  #0 0x5577d93f2462 in dino_chip_write_with_attrs qemu/hw/hppa/dino.c:362:16
  #1 0x5577d9025664 in memory_region_write_with_attrs_accessor 
qemu/memory.c:503:12
  #2 0x5577d9024920 in access_with_adjusted_size qemu/memory.c:539:18
  #3 0x5577d9023608 in memory_region_dispatch_write qemu/memory.c:1482:13
  #4 0x5577d8e3177a in flatview_write_continue qemu/exec.c:3166:23
  #5 0x5577d8e20357 in flatview_write qemu/exec.c:3206:14
  #6 0x5577d8e1fef4 in address_space_write qemu/exec.c:3296:18
  #7 0x5577d8e20693 in address_space_rw qemu/exec.c:3306:16
  #8 0x5577d9011595 in qtest_process_command qemu/qtest.c:432:13
  #9 0x5577d900d19f in qtest_process_inbuf qemu/qtest.c:705:9
  #10 0x5577d900ca22 in qtest_read qemu/qtest.c:717:5
  #11 0x5577da8c4254 in qemu_chr_be_write_impl qemu/chardev/char.c:183:9
  #12 0x5577da8c430c in qemu_chr_be_write qemu/chardev/char.c:195:9
  #13 0x5577da8cf587 in fd_chr_read qemu/chardev/char-fd.c:68:9
  #14 0x5577da9836cd in qio_channel_fd_source_dispatch 
qemu/io/channel-watch.c:84:12
  #15 0x7faf44509ecc in g_main_context_dispatch 
(/lib64/libglib-2.0.so.0+0x4fecc)
  #16 0x5577dab75f96 in glib_pollfds_poll qemu/util/main-loop.c:219:9
  #17 0x5577dab74797 in os_host_main_loop_wait qemu/util/main-loop.c:242:5
  #18 0x5577dab7435a in main_loop_wait qemu/util/main-loop.c:518:11
  #19 0x5577d9514eb3 in main_loop qemu/vl.c:1682:9
  #20 0x5577d950699d in main qemu/vl.c:4450:5
  #21 0x7faf41a87f42 in __libc_start_main (/lib64/libc.so.6+0x23f42)
  #22 0x5577d8cd4d4d in _start 
(qemu/build/sanitizer/hppa-softmmu/qemu-system-hppa+0x1256d4d)

  0x5577dae32f30 is located 0 bytes to the right of global variable 
'reg800_keep_bits' defined in 'qemu/hw/hppa/dino.c:87:23' (0x5577dae32f00) of 
size 48
  SUMMARY: AddressSanitizer: global-buffer-overflow qemu/hw/hppa/dino.c:362:16 
in dino_chip_write_with_attrs
  Shadow bytes around the buggy address:
0x0aaf7b5be590: 00 f9 f9 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9
0x0aaf7b5be5a0: 07 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
0x0aaf7b5be5b0: 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0aaf7b5be5c0: 00 00 00 02 f9 f9 f9 f9 00 00 00 00 00 00 00 00

Re: [PATCH 2/4] hw/hppa/dino: Fix reg800_keep_bits[] overrun (CID 1419393 & 1419394)

Re: [PATCH 2/4] hw/hppa/dino: Fix reg800_keep_bits[] overrun (CID 1419393 & 1419394)

Re: [PATCH 2/4] hw/hppa/dino: Fix reg800_keep_bits[] overrun (CID 1419393 & 1419394)

Re: [PATCH 2/4] hw/hppa/dino: Fix reg800_keep_bits[] overrun (CID 1419393 & 1419394)

[PATCH 2/4] hw/hppa/dino: Fix reg800_keep_bits[] overrun (CID 1419393 & 1419394)

5 matches

Site Navigation

Mail list logo

Footer information