qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v2] coverity-model: model address_space_read/wri

From: Eric Blake
Subject: Re: [Qemu-devel] [PATCH v2] coverity-model: model address_space_read/write
Date: Wed, 15 Mar 2017 06:55:32 -0500
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 
On 03/15/2017 03:16 AM, Paolo Bonzini wrote:
> Commit eb7eeb8 ("memory: split address_space_read and
> address_space_write", 2015-12-17) made address_space_rw
> dispatch to one of address_space_read or address_space_write,
> rather than vice versa.
> 
> For callers of address_space_read and address_space_write this
> causes false positive defects when Coverity sees a length-8 write in
> address_space_read and a length-4 (e.g. int*) buffer to read into.
> As long as the size of the buffer is okay, this is a false positive.
> 
> Reflect the code change into the model.
> 
> Signed-off-by: Paolo Bonzini <address@hidden>
> ---
>  scripts/coverity-model.c | 17 +++++++++++++----
>  1 file changed, 13 insertions(+), 4 deletions(-)

> -MemTxResult address_space_rw(AddressSpace *as, hwaddr addr, MemTxAttrs attrs,
> -                             uint8_t *buf, int len, bool is_write)
> +MemTxResult address_space_read(AddressSpace *as, hwaddr addr,
> +                               MemTxAttrs attrs,
> +                               uint8_t *buf, int len)
>  {
>      MemTxResult result;
> -
>      // TODO: investigate impact of treating reads as producing
>      // tainted data, with __coverity_tainted_data_argument__(buf).
> -    if (is_write) __bufread(buf, len); else __bufwrite(buf, len);

Old code did __bufread for reads,

> +    __bufwrite(buf, len);

but the new does __bufwrite.

> +    return result;
> +}
>  
> +MemTxResult address_space_write(AddressSpace *as, hwaddr addr,
> +                                MemTxAttrs attrs,
> +                                const uint8_t *buf, int len)
> +{
> +    MemTxResult result;
> +    __bufread(buf, len);

And __bufread for writes.  Did you get this backwards?

>      return result;
>  }
>  
> +
>  /* Tainting */
>  
>  typedef struct {} name2keysym_t;
> 

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]