Re: [PULL 22/33] spapr: Implement Open Firmware client interface

qemu-ppc

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PULL 22/33] spapr: Implement Open Firmware client interface

From:	Peter Maydell
Subject:	Re: [PULL 22/33] spapr: Implement Open Firmware client interface
Date:	Tue, 13 Jul 2021 12:09:18 +0100

On Fri, 9 Jul 2021 at 06:17, David Gibson <david@gibson.dropbear.id.au> wrote:
>
> From: Alexey Kardashevskiy <aik@ozlabs.ru>
>
> The PAPR platform describes an OS environment that's presented by
> a combination of a hypervisor and firmware. The features it specifies
> require collaboration between the firmware and the hypervisor.

Another Coverity issue unrelated to the others: CID 1458132:

> +int vof_client_call(MachineState *ms, Vof *vof, void *fdt,
> +                    target_ulong args_real)
> +{
> +    struct prom_args args_be;
> +    uint32_t args[ARRAY_SIZE(args_be.args)];
> +    uint32_t rets[ARRAY_SIZE(args_be.args)] = { 0 }, ret;
> +    char service[64];
> +    unsigned nargs, nret, i;
> +
> +    if (VOF_MEM_READ(args_real, &args_be, sizeof(args_be)) != MEMTX_OK) {
> +        return -EINVAL;
> +    }
> +    nargs = be32_to_cpu(args_be.nargs);
> +    if (nargs >= ARRAY_SIZE(args_be.args)) {

Our only bounds check against overflowing the args arrays is here,
on 'nargs'...

> +        return -EINVAL;
> +    }
> +
> +    if (VOF_MEM_READ(be32_to_cpu(args_be.service), service, sizeof(service)) 
> !=
> +        MEMTX_OK) {
> +        return -EINVAL;
> +    }
> +    if (strnlen(service, sizeof(service)) == sizeof(service)) {
> +        /* Too long service name */
> +        return -EINVAL;
> +    }
> +
> +    for (i = 0; i < nargs; ++i) {
> +        args[i] = be32_to_cpu(args_be.args[i]);
> +    }
> +
> +    nret = be32_to_cpu(args_be.nret);
> +    ret = vof_client_handle(ms, fdt, vof, service, args, nargs, rets, nret);
> +    if (!nret) {
> +        return 0;
> +    }
> +
> +    args_be.args[nargs] = cpu_to_be32(ret);
> +    for (i = 1; i < nret; ++i) {
> +        args_be.args[nargs + i] = cpu_to_be32(rets[i - 1]);
> +    }

...but in the code we fill the args_be array with "nargs + 1 + nret - 1"
values.

Side note: is the code really intentionally copying only nret-1 values
from rets[], or is the loop condition supposed to be "<= nret" ?

> +
> +    if (VOF_MEM_WRITE(args_real + offsetof(struct prom_args, args[nargs]),
> +                      args_be.args + nargs, sizeof(args_be.args[0]) * nret) 
> !=
> +        MEMTX_OK) {
> +        return -EINVAL;
> +    }
> +
> +    return 0;
> +}

thanks
-- PMM

[Prev in Thread]

Current Thread

[Next in Thread]

[PULL 10/33] target/ppc: Split out ppc_jumbo_xlate, (continued)
- [PULL 10/33] target/ppc: Split out ppc_jumbo_xlate, David Gibson, 2021/07/09
- [PULL 13/33] target/ppc: Fix compilation with DUMP_PAGE_TABLES debug option, David Gibson, 2021/07/09
- [PULL 11/33] target/ppc: Introduce ppc_xlate, David Gibson, 2021/07/09
- [PULL 21/33] docs/system: ppc: Update ppce500 documentation with eTSEC support, David Gibson, 2021/07/09
- [PULL 19/33] target/ppc: change ppc_hash32_xlate to use mmu_idx, David Gibson, 2021/07/09
- [PULL 23/33] target/ppc: mtmsrd is an illegal instruction on BookE, David Gibson, 2021/07/09
- [PULL 16/33] target/ppc: fix address translation bug for radix mmus, David Gibson, 2021/07/09
- [PULL 25/33] target/ppc: Allow virtual hypervisor on CPU without HV, David Gibson, 2021/07/09
- [PULL 22/33] spapr: Implement Open Firmware client interface, David Gibson, 2021/07/09
  - Re: [PULL 22/33] spapr: Implement Open Firmware client interface, Peter Maydell, 2021/07/13
  - Re: [PULL 22/33] spapr: Implement Open Firmware client interface, Peter Maydell <=
- [PULL 26/33] target/ppc/spapr: Update H_GET_CPU_CHARACTERISTICS L1D cache flush bits, David Gibson, 2021/07/09
- [PULL 24/33] ppc/pegasos2: Introduce Pegasos2MachineState structure, David Gibson, 2021/07/09
- [PULL 28/33] ppc/pegasos2: Fix use of && instead of &, David Gibson, 2021/07/09
- [PULL 20/33] roms/u-boot: Bump ppce500 u-boot to v2021.07 to add eTSEC support, David Gibson, 2021/07/09
- [PULL 27/33] ppc/pegasos2: Use Virtual Open Firmware as firmware replacement, David Gibson, 2021/07/09
- [PULL 30/33] target/ppc: Don't compile ppc_tlb_invalid_all without TCG, David Gibson, 2021/07/09
- [PULL 32/33] linux-headers: Update, David Gibson, 2021/07/09
- [PULL 29/33] ppc/pegasos2: Implement some RTAS functions with VOF, David Gibson, 2021/07/09
- [PULL 33/33] target/ppc: Support for H_RPT_INVALIDATE hcall, David Gibson, 2021/07/09
- [PULL 31/33] spapr: Fix implementation of Open Firmware client interface, David Gibson, 2021/07/09

Prev by Date: Re: [PULL 22/33] spapr: Implement Open Firmware client interface
Next by Date: [PATCH qemu] ppc/vof: Fix Coverity issues
Previous by thread: Re: [PULL 22/33] spapr: Implement Open Firmware client interface
Next by thread: [PULL 26/33] target/ppc/spapr: Update H_GET_CPU_CHARACTERISTICS L1D cache flush bits
Index(es):
- Date
- Thread