On Tue, 7 Jan 2020 18:18:09 +0100
Cédric Le Goater <c...@kaod.org> wrote:
> blk_getlength() returns an int64_t but the result is stored in a
> uint32_t. Errors (negative values) won't be caught by the check in
> pnv_pnor_realize() and blk_blockalign() will allocate a very large
> buffer in such cases.
>
> Fixes Coverity issue CID 1412226.
>
> Signed-off-by: Cédric Le Goater <c...@kaod.org>
> ---
Reviewed-by: Greg Kurz <gr...@kaod.org>
> include/hw/ppc/pnv_pnor.h | 2 +-
> hw/ppc/pnv_pnor.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/include/hw/ppc/pnv_pnor.h b/include/hw/ppc/pnv_pnor.h
> index c3dd28643cae..4f96abdfb402 100644
> --- a/include/hw/ppc/pnv_pnor.h
> +++ b/include/hw/ppc/pnv_pnor.h
> @@ -23,7 +23,7 @@ typedef struct PnvPnor {
> BlockBackend *blk;
>
> uint8_t *storage;
> - uint32_t size;
> + int64_t size;
> MemoryRegion mmio;
> } PnvPnor;
>
> diff --git a/hw/ppc/pnv_pnor.c b/hw/ppc/pnv_pnor.c
> index 0e86ae2feae6..b061106d1c0c 100644
> --- a/hw/ppc/pnv_pnor.c
> +++ b/hw/ppc/pnv_pnor.c
> @@ -111,7 +111,7 @@ static void pnv_pnor_realize(DeviceState *dev, Error
> **errp)
> }
>
> static Property pnv_pnor_properties[] = {
> - DEFINE_PROP_UINT32("size", PnvPnor, size, 128 << 20),
> + DEFINE_PROP_INT64("size", PnvPnor, size, 128 << 20),
> DEFINE_PROP_DRIVE("drive", PnvPnor, blk),
> DEFINE_PROP_END_OF_LIST(),
> };
