Re: acpi_pcihp_eject_slot() bug if passed 'slots == 0'

On Thu, 26 Mar 2020 09:31:09 -0400 "Michael S. Tsirkin" wrote: > On Thu, Mar 26, 2020 at 09:28:27AM -0400, Michael S. Tsirkin wrote: > > On Thu, Mar 26, 2020 at 02:23:17PM +0100, Igor Mammedov wrote: > > > On Thu, 26 Mar 2020 11:52:36 + > > > Peter Maydell wrote: > > > > > > > Hi;

Re: acpi_pcihp_eject_slot() bug if passed 'slots == 0'

On Thu, Mar 26, 2020 at 01:50:41PM +0100, Igor Mammedov wrote: > On Thu, 26 Mar 2020 13:29:01 +0100 > Igor Mammedov wrote: > > > On Thu, 26 Mar 2020 11:52:36 + > > Peter Maydell wrote: > > > > > Hi; Coverity spots that if hw/acpi/pcihp.c:acpi_pcihp_eject_slot() > > > is passed a zero

Re: acpi_pcihp_eject_slot() bug if passed 'slots == 0'

On Thu, Mar 26, 2020 at 09:28:27AM -0400, Michael S. Tsirkin wrote: > On Thu, Mar 26, 2020 at 02:23:17PM +0100, Igor Mammedov wrote: > > On Thu, 26 Mar 2020 11:52:36 + > > Peter Maydell wrote: > > > > > Hi; Coverity spots that if hw/acpi/pcihp.c:acpi_pcihp_eject_slot() > > > is passed a zero

Re: acpi_pcihp_eject_slot() bug if passed 'slots == 0'

On Thu, Mar 26, 2020 at 02:23:17PM +0100, Igor Mammedov wrote: > On Thu, 26 Mar 2020 11:52:36 + > Peter Maydell wrote: > > > Hi; Coverity spots that if hw/acpi/pcihp.c:acpi_pcihp_eject_slot() > > is passed a zero 'slots' argument then ctz32(slots) will return 32, > > and then the code that

Re: acpi_pcihp_eject_slot() bug if passed 'slots == 0'

On Thu, 26 Mar 2020 11:52:36 + Peter Maydell wrote: > Hi; Coverity spots that if hw/acpi/pcihp.c:acpi_pcihp_eject_slot() > is passed a zero 'slots' argument then ctz32(slots) will return 32, > and then the code that does '1U << slot' is C undefined behaviour > because it's an oversized

Re: acpi_pcihp_eject_slot() bug if passed 'slots == 0'

On Thu, 26 Mar 2020 13:29:01 +0100 Igor Mammedov wrote: > On Thu, 26 Mar 2020 11:52:36 + > Peter Maydell wrote: > > > Hi; Coverity spots that if hw/acpi/pcihp.c:acpi_pcihp_eject_slot() > > is passed a zero 'slots' argument then ctz32(slots) will return 32, > > and then the code that does

Re: acpi_pcihp_eject_slot() bug if passed 'slots == 0'

On Thu, 26 Mar 2020 11:52:36 + Peter Maydell wrote: > Hi; Coverity spots that if hw/acpi/pcihp.c:acpi_pcihp_eject_slot() > is passed a zero 'slots' argument then ctz32(slots) will return 32, > and then the code that does '1U << slot' is C undefined behaviour > because it's an oversized

acpi_pcihp_eject_slot() bug if passed 'slots == 0'

Hi; Coverity spots that if hw/acpi/pcihp.c:acpi_pcihp_eject_slot() is passed a zero 'slots' argument then ctz32(slots) will return 32, and then the code that does '1U << slot' is C undefined behaviour because it's an oversized shift. (This is CID 1421896.) Since the pci_write() function in this