On Tue, Jan 07, 2020 at 06:18:09PM +0100, Cédric Le Goater wrote: > blk_getlength() returns an int64_t but the result is stored in a > uint32_t. Errors (negative values) won't be caught by the check in > pnv_pnor_realize() and blk_blockalign() will allocate a very large > buffer in such cases. > > Fixes Coverity issue CID 1412226. > > Signed-off-by: Cédric Le Goater <c...@kaod.org>
Applied to ppc-for-5.0.
> ---
> include/hw/ppc/pnv_pnor.h | 2 +-
> hw/ppc/pnv_pnor.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/include/hw/ppc/pnv_pnor.h b/include/hw/ppc/pnv_pnor.h
> index c3dd28643cae..4f96abdfb402 100644
> --- a/include/hw/ppc/pnv_pnor.h
> +++ b/include/hw/ppc/pnv_pnor.h
> @@ -23,7 +23,7 @@ typedef struct PnvPnor {
> BlockBackend *blk;
>
> uint8_t *storage;
> - uint32_t size;
> + int64_t size;
> MemoryRegion mmio;
> } PnvPnor;
>
> diff --git a/hw/ppc/pnv_pnor.c b/hw/ppc/pnv_pnor.c
> index 0e86ae2feae6..b061106d1c0c 100644
> --- a/hw/ppc/pnv_pnor.c
> +++ b/hw/ppc/pnv_pnor.c
> @@ -111,7 +111,7 @@ static void pnv_pnor_realize(DeviceState *dev, Error
> **errp)
> }
>
> static Property pnv_pnor_properties[] = {
> - DEFINE_PROP_UINT32("size", PnvPnor, size, 128 << 20),
> + DEFINE_PROP_INT64("size", PnvPnor, size, 128 << 20),
> DEFINE_PROP_DRIVE("drive", PnvPnor, blk),
> DEFINE_PROP_END_OF_LIST(),
> };
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
signature.asc
Description: PGP signature
