[PATCH RFC] prevent overflow in xlnx_dpdma_desc_get_source

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH RFC] prevent overflow in xlnx_dpdma_desc_get_source_address()

From:	Alexandra Diupina
Subject:	[PATCH RFC] prevent overflow in xlnx_dpdma_desc_get_source_address()
Date:	Fri, 12 Apr 2024 11:13:28 +0300

Overflow can occur in a situation where desc->source_address
has a maximum value (pow(2, 32) - 1), so add a cast to a
larger type before the assignment.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: d3c6369a96 ("introduce xlnx-dpdma")
Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
---
 hw/dma/xlnx_dpdma.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/hw/dma/xlnx_dpdma.c b/hw/dma/xlnx_dpdma.c
index 1f5cd64ed1..224259225c 100644
--- a/hw/dma/xlnx_dpdma.c
+++ b/hw/dma/xlnx_dpdma.c
@@ -175,24 +175,24 @@ static uint64_t 
xlnx_dpdma_desc_get_source_address(DPDMADescriptor *desc,
 
     switch (frag) {
     case 0:
-        addr = desc->source_address
-            + (extract32(desc->address_extension, 16, 12) << 20);
+        addr = (uint64_t)(desc->source_address
+            + (extract32(desc->address_extension, 16, 12) << 20));
         break;
     case 1:
-        addr = desc->source_address2
-            + (extract32(desc->address_extension_23, 0, 12) << 8);
+        addr = (uint64_t)(desc->source_address2
+            + (extract32(desc->address_extension_23, 0, 12) << 8));
         break;
     case 2:
-        addr = desc->source_address3
-            + (extract32(desc->address_extension_23, 16, 12) << 20);
+        addr = (uint64_t)(desc->source_address3
+            + (extract32(desc->address_extension_23, 16, 12) << 20));
         break;
     case 3:
-        addr = desc->source_address4
-            + (extract32(desc->address_extension_45, 0, 12) << 8);
+        addr = (uint64_t)(desc->source_address4
+            + (extract32(desc->address_extension_45, 0, 12) << 8));
         break;
     case 4:
-        addr = desc->source_address5
-            + (extract32(desc->address_extension_45, 16, 12) << 20);
+        addr = (uint64_t)(desc->source_address5
+            + (extract32(desc->address_extension_45, 16, 12) << 20));
         break;
     default:
         addr = 0;
-- 
2.30.2

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH RFC] prevent overflow in xlnx_dpdma_desc_get_source_address(), Alexandra Diupina <=
- Re: [PATCH RFC] prevent overflow in xlnx_dpdma_desc_get_source_address(), Peter Maydell, 2024/04/12
  - Re: [PATCH RFC] prevent overflow in xlnx_dpdma_desc_get_source_address(), Alexandra Diupina, 2024/04/16
    - Re: [PATCH RFC] prevent overflow in xlnx_dpdma_desc_get_source_address(), Edgar E. Iglesias, 2024/04/16
  - RE: [PATCH RFC] prevent overflow in xlnx_dpdma_desc_get_source_address(), Konrad, Frederic, 2024/04/17
    - Re: [PATCH RFC] prevent overflow in xlnx_dpdma_desc_get_source_address(), Alexandra Diupina, 2024/04/23
    - Re: [PATCH RFC] prevent overflow in xlnx_dpdma_desc_get_source_address(), Peter Maydell, 2024/04/23
    - [PATCH v2 RFC] fix host-endianness bug and prevent overflow, Alexandra Diupina, 2024/04/24
    - Re: [PATCH v2 RFC] fix host-endianness bug and prevent overflow, Peter Maydell, 2024/04/24
    - [PATCH] fix bit fields extraction and prevent overflow, Alexandra Diupina, 2024/04/24
    - Re: [PATCH] fix bit fields extraction and prevent overflow, Peter Maydell, 2024/04/25

Prev by Date: [PATCH 17/65] target/riscv: Add widening integer add/subtract instructions for XTheadVector
Next by Date: [PATCH 18/65] target/riscv: Add integer add-with-carry/sub-with-borrow instructions for XTheadVector
Previous by thread: [PATCH v2] Makefile: fix use of -j without an argument
Next by thread: Re: [PATCH RFC] prevent overflow in xlnx_dpdma_desc_get_source_address()
Index(es):
- Date
- Thread