[PATCH] target/arm: add bounding a->imm assertion

Add an assertion similar to that in the do_shr_narrow(). This will make sure that functions from sshll_ops have correct arguments. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Anastasia Belova --- target/arm/tcg/translate-sve.c | 1 + 1 file changed, 1

[PATCH] net: fix buffer overflow in af_xdp_umem_create()

s->pool has n_descs elements so maximum i should be n_descs - 1. Fix the upper bound. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: cb039ef3d9 ("net: add initial support for AF_XDP network backend") Signed-off-by: Anastasia Belova --- net/af-xdp.c |

[PATCH test] target/arm: add bounding a->imm assertion

Add an assertion similar to that in the do_shr_narrow(). This will make sure that functions from sshll_ops have correct arguments. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Anastasia Belova --- target/arm/tcg/translate-sve.c | 1 + 1 file changed, 1

[PATCH RFC] target/arm: add bounding a->imm assertion

Add an assertion similar to that in the do_shr_narrow(). This will make sure that functions from sshll_ops have correct arguments. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Anastasia Belova --- target/arm/tcg/translate-sve.c | 1 + 1 file changed, 1

Re: [PATCH RFC] target/arm: add bounding a->imm assertion

Sorry for accidentaly sending this patch twice. My mail system reports that it can't be delivered to Peter Maydell and I am trying to solve it. On 3/25/25 1:17 PM, Anastasia Belova wrote: From: Anastasia Belova Add an assertion similar to that in the do_shr_narrow(). This will make

[PATCH RFC] target/arm: add bounding a->imm assertion

From: Anastasia Belova Add an assertion similar to that in the do_shr_narrow(). This will make sure that functions from sshll_ops have correct arguments. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Anastasia Belova --- target/arm/tcg/translate-sve.c | 1

[PATCH v2] hw/arm_sysctl: fix extracting 31th bit of val

1 << 31 is casted to uint64_t while bitwise and with val. So this value may become 0x8000 but only 31th "start" bit is required. Use the bitfield extract() API instead. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Anastasia Belo

[PATCH] hw/arm_sysctl: fix extraxting 31th bit of val

1 << 31 is casted to uint64_t while bitwise and with val. So this value may become 0x8000 but only 31th "start" bit is required. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Anastasia Belova --- hw/misc/arm_sysctl.c | 2 +- 1

Re: [PATCH] hw/timer/nrf51_timer: prevent integer overflow

On 12/3/24 7:46 PM, Peter Maydell wrote: On Tue, 3 Dec 2024 at 16:25, Anastasia Belova wrote: Both counter and tick are uint32_t and the result of their addition may not fit this type. Add explicit casting to uint64_t. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes

[PATCH] hw/timer/nrf51_timer: prevent integer overflow

Both counter and tick are uint32_t and the result of their addition may not fit this type. Add explicit casting to uint64_t. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: c5a4829c08 ("hw/timer/nrf51_timer: Add nRF51 Timer peripheral") Signed-off-by: Anasta

Re: [PATCH] monitor: fix cases in switch in memory_dump

> 30 окт. 2024 г., в 22:03, Phil Dennis-Jordan написал(а): > > > On Wed 30. Oct 2024 at 15:09, Anastasia Belova wrote: > default case has no condition. So if it is placed > higher that other cases, they are unreachable. > > Move dafult case down. > > The styli

[PATCH] monitor: fix cases in switch in memory_dump

default case has no condition. So if it is placed higher that other cases, they are unreachable. Move dafult case down. Found by Linux Verification Center (linuxtesting.org) Signed-off-by: Anastasia Belova --- monitor/hmp-cmds-target.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion

Re: [PATCH] hw/dma: prevent overflow in soc_dma_set_request

09/04/24 15:02, Peter Maydell пишет: On Tue, 9 Apr 2024 at 12:54, Anastasia Belova wrote: ch->num can reach values up to 31. Add casting to a larger type before performing left shift to prevent integer overflow. If ch->num can only reach up to 31, then 1 << ch->num is fin

[PATCH] hw/dma: prevent overflow in soc_dma_set_request

;) Signed-off-by: Anastasia Belova --- hw/dma/soc_dma.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/dma/soc_dma.c b/hw/dma/soc_dma.c index 3a430057f5..d5c52b804f 100644 --- a/hw/dma/soc_dma.c +++ b/hw/dma/soc_dma.c @@ -209,9 +209,9 @@ void soc_dma_set_request(struct

[PATCH v3] load_elf: fix iterator's type for elf file processing

: Add data swap option to load-elf") Signed-off-by: Anastasia Belova --- v2: fix type of j v3: remove changes for i, size and another j Thanks for your patience. include/hw/elf_ops.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/hw/elf_ops.h b/include/hw/elf_ops.h i

[PATCH v2] load_elf: fix iterators' types for elf file processing

) with SVACE. Fixes: 7ef295ea5b ("loader: Add data swap option to load-elf") Signed-off-by: Anastasia Belova --- include/hw/elf_ops.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/hw/elf_ops.h b/include/hw/elf_ops.h index 0a5c258fe6..6e807708f3 100644 ---

[PATCH] load_elf: fix iterator type in glue

file_size is uint32_t, so j < file_size should be uint32_t too. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 7ef295ea5b ("loader: Add data swap option to load-elf") Signed-off-by: Anastasia Belova --- include/hw/elf_ops.h | 2 +- 1 file changed, 1 in

[PATCH] l2tpv3: overwrite s->fd in net_l2tpv3_cleanup

It's better to overwrite freed pointer s->fd to avoid accessing an invalid descriptor. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 3fb69aa1d1 ("net: L2TPv3 transport") Signed-off-by: Anastasia Belova --- net/l2tpv3.c | 1 + 1 file changed, 1

[PATCH] hyperv: add check for NULL for msg

cpu_physical_memory_map may return NULL in hyperv_hcall_post_message. Add check for NULL to avoid NULL-dereference. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 76036a5fc7 ("hyperv: process POST_MESSAGE hypercall") Signed-off-by: Anastasia Belova ---

[PATCH] hw/qxl: move check of slot_id before accessing guest_slots

If slot_id >= NUM_MEMSLOTS, buffer overflow is possible. So the check should be upper than d->guest_slots[slot_id] where size of d->guest_slots is NUM_MEMSLOTS. Fixes: e954ea2873 ("qxl: qxl_add_memslot: remove guest trigerrable panics") Signed-off-by: Anastasia Belova --- hw

[PATCH] vnc: move assert in vnc_worker_thread_loop

job may be NULL if queue->exit is true. Check it before dereference job. Fixes: f31f9c1080 ("vnc: add magic cookie to VncState") Signed-off-by: Anastasia Belova --- ui/vnc-jobs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ui/vnc-jobs.c b/ui/vnc-jobs.c ind

[PATCH] vnc: move assert in vnc_worker_thread_loop

job may be NULL if queue->exit is true. Check it before dereference job. Fixes: f31f9c1080 ("vnc: add magic cookie to VncState") Signed-off-by: Anastasia Belova --- ui/vnc-jobs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ui/vnc-jobs.c b/ui/vnc-jobs.c ind