On 6/24/2024 7:27 PM, Peter Maydell wrote:
On Sun, 23 Jun 2024 at 03:46, Minwoo Im <minwoo.im....@gmail.com> wrote:
This patch fixes two points reported in coverity scan report [1]. Check
the MMIO access address with (addr + size), not just with the start offset
addr to make sure that the requested memory access not to exceed the
actual register region. We also updated (uint8_t *) to (uint32_t *) to
represent we are accessing the MMIO registers by dword-sized only.
[1]
https://lore.kernel.org/qemu-devel/cafeaca82l-wznhmw0x+dr40bhm-evq2zh4dg4pdqop4xxdp...@mail.gmail.com/
Cc: Jeuk Kim <jeuk20....@gmail.com>
Reported-by: Peter Maydell <peter.mayd...@linaro.org>
Signed-off-by: Minwoo Im <minwoo.im....@gmail.com>
---
hw/ufs/ufs.c | 31 ++++++++++++++++---------------
1 file changed, 16 insertions(+), 15 deletions(-)
diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c
index 71a88d221ced..bf2ff02ac6e5 100644
--- a/hw/ufs/ufs.c
+++ b/hw/ufs/ufs.c
@@ -55,17 +55,18 @@ static inline uint64_t ufs_reg_size(UfsHc *u)
return ufs_mcq_op_reg_addr(u, 0) + sizeof(u->mcq_op_reg);
}
-static inline bool ufs_is_mcq_reg(UfsHc *u, uint64_t addr)
+static inline bool ufs_is_mcq_reg(UfsHc *u, uint64_t addr, unsigned size)
{
uint64_t mcq_reg_addr = ufs_mcq_reg_addr(u, 0);
- return addr >= mcq_reg_addr && addr < mcq_reg_addr + sizeof(u->mcq_reg);
+ return (addr >= mcq_reg_addr &&
+ addr + size <= mcq_reg_addr + sizeof(u->mcq_reg));
}
-static inline bool ufs_is_mcq_op_reg(UfsHc *u, uint64_t addr)
+static inline bool ufs_is_mcq_op_reg(UfsHc *u, uint64_t addr, unsigned size)
{
uint64_t mcq_op_reg_addr = ufs_mcq_op_reg_addr(u, 0);
return (addr >= mcq_op_reg_addr &&
- addr < mcq_op_reg_addr + sizeof(u->mcq_op_reg));
+ addr + size <= mcq_op_reg_addr + sizeof(u->mcq_op_reg));
Stray extra space after "addr".
Thank you for your comment.
I'll fix it when I send the pull request.
Otherwise
Reviewed-by: Peter Maydell <peter.mayd...@linaro.org>
thanks
-- PMM
