On Sun, 23 Jun 2024 at 03:46, Minwoo Im <minwoo.im....@gmail.com> wrote: > > This patch fixes two points reported in coverity scan report [1]. Check > the MMIO access address with (addr + size), not just with the start offset > addr to make sure that the requested memory access not to exceed the > actual register region. We also updated (uint8_t *) to (uint32_t *) to > represent we are accessing the MMIO registers by dword-sized only. > > [1] > https://lore.kernel.org/qemu-devel/cafeaca82l-wznhmw0x+dr40bhm-evq2zh4dg4pdqop4xxdp...@mail.gmail.com/ > > Cc: Jeuk Kim <jeuk20....@gmail.com> > Reported-by: Peter Maydell <peter.mayd...@linaro.org> > Signed-off-by: Minwoo Im <minwoo.im....@gmail.com> > --- > hw/ufs/ufs.c | 31 ++++++++++++++++--------------- > 1 file changed, 16 insertions(+), 15 deletions(-) > > diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c > index 71a88d221ced..bf2ff02ac6e5 100644 > --- a/hw/ufs/ufs.c > +++ b/hw/ufs/ufs.c > @@ -55,17 +55,18 @@ static inline uint64_t ufs_reg_size(UfsHc *u) > return ufs_mcq_op_reg_addr(u, 0) + sizeof(u->mcq_op_reg); > } > > -static inline bool ufs_is_mcq_reg(UfsHc *u, uint64_t addr) > +static inline bool ufs_is_mcq_reg(UfsHc *u, uint64_t addr, unsigned size) > { > uint64_t mcq_reg_addr = ufs_mcq_reg_addr(u, 0); > - return addr >= mcq_reg_addr && addr < mcq_reg_addr + sizeof(u->mcq_reg); > + return (addr >= mcq_reg_addr && > + addr + size <= mcq_reg_addr + sizeof(u->mcq_reg)); > } > > -static inline bool ufs_is_mcq_op_reg(UfsHc *u, uint64_t addr) > +static inline bool ufs_is_mcq_op_reg(UfsHc *u, uint64_t addr, unsigned size) > { > uint64_t mcq_op_reg_addr = ufs_mcq_op_reg_addr(u, 0); > return (addr >= mcq_op_reg_addr && > - addr < mcq_op_reg_addr + sizeof(u->mcq_op_reg)); > + addr + size <= mcq_op_reg_addr + sizeof(u->mcq_op_reg));
Stray extra space after "addr". Otherwise Reviewed-by: Peter Maydell <peter.mayd...@linaro.org> thanks -- PMM
