Commit fc2527fb authored Jan 07, 2020 by Cédric Le Goater Committed by David Gibson Jan 08, 2020

ppc/pnv: fix check on return value of blk_getlength()



blk_getlength() returns an int64_t but the result is stored in a
uint32_t. Errors (negative values) won't be caught by the check in
pnv_pnor_realize() and blk_blockalign() will allocate a very large
buffer in such cases.

Fixes Coverity issue CID 1412226.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20200107171809.15556-3-clg@kaod.org>
Reviewed-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>

parent 3a688294

hw/ppc/pnv_pnor.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -111,7 +111,7 @@ static void pnv_pnor_realize(DeviceState dev, Error *errp)
		}

		static Property pnv_pnor_properties[] = {
		DEFINE_PROP_UINT32("size", PnvPnor, size, 128 << 20),
		DEFINE_PROP_INT64("size", PnvPnor, size, 128 << 20),
		DEFINE_PROP_DRIVE("drive", PnvPnor, blk),
		DEFINE_PROP_END_OF_LIST(),
		};

include/hw/ppc/pnv_pnor.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -23,7 +23,7 @@ typedef struct PnvPnor {
		BlockBackend *blk;

		uint8_t *storage;
		uint32_t size;
		int64_t size;
		MemoryRegion mmio;
		} PnvPnor;