Hello,
Just a heads up about the issues Coverity found in the latest QEMU.
It would be nice to fix them before QEMU 10.0 is released.
Thanks,
C.
-------- Forwarded Message --------
Subject: New Defects reported by Coverity Scan for QEMU
Date: Thu, 13 Mar 2025 18:44:59 +0000
From: scan-ad...@coverity.com
To: c...@kaod.org
Hi,
Please find the latest report on new defect(s) introduced to QEMU found with
Coverity Scan.
5 new defect(s) introduced to QEMU found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent
build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 5 of 5 defect(s)
** CID 1593725: Error handling issues (CHECKED_RETURN)
/builds/qemu-project/qemu/hw/ppc/amigaone.c: 112 in nvram_write()
________________________________________________________________________________________________________
*** CID 1593725: Error handling issues (CHECKED_RETURN)
/builds/qemu-project/qemu/hw/ppc/amigaone.c: 112 in nvram_write()
106 {
107 A1NVRAMState *s = opaque;
108 uint8_t *p = memory_region_get_ram_ptr(&s->mr);
109
110 p[addr] = val;
111 if (s->blk) {
CID 1593725: Error handling issues (CHECKED_RETURN)
Calling "blk_pwrite" without checking return value (as is done elsewhere 30
out of 36 times).
112 blk_pwrite(s->blk, addr, 1, &val, 0);
113 }
114 }
115
116 static const MemoryRegionOps nvram_ops = {
117 .read = nvram_read,
** CID 1593724: Integer handling issues (BAD_SHIFT)
/builds/qemu-project/qemu/hw/intc/xive.c: 1665 in xive_get_vpgroup_size()
________________________________________________________________________________________________________
*** CID 1593724: Integer handling issues (BAD_SHIFT)
/builds/qemu-project/qemu/hw/intc/xive.c: 1665 in xive_get_vpgroup_size()
1659 {
1660 /*
1661 * Group size is a power of 2. The position of the first 0
1662 * (starting with the least significant bits) in the NVP index
1663 * gives the size of the group.
1664 */
CID 1593724: Integer handling issues (BAD_SHIFT)
In expression "1 << ctz32(~nvp_index) + 1", left shifting by more than 31 bits has
undefined behavior. The shift amount, "ctz32(~nvp_index) + 1", is 33.
1665 return 1 << (ctz32(~nvp_index) + 1);
1666 }
1667
1668 static uint8_t xive_get_group_level(bool crowd, bool ignore,
1669 uint32_t nvp_blk, uint32_t
nvp_index)
1670 {
** CID 1593723: (DEADCODE)
/builds/qemu-project/qemu/hw/ppc/pnv_bmc.c: 266 in pnv_bmc_set_pnor()
/builds/qemu-project/qemu/hw/ppc/pnv_bmc.c: 271 in pnv_bmc_set_pnor()
________________________________________________________________________________________________________
*** CID 1593723: (DEADCODE)
/builds/qemu-project/qemu/hw/ppc/pnv_bmc.c: 266 in pnv_bmc_set_pnor()
260
261 /*
262 * The HIOMAP protocol uses block units and 16-bit addressing.
263 * Prevent overflow or misalign.
264 */
265 if (pnor_addr >= 1U << (BLOCK_SHIFT + 16)) {
CID 1593723: (DEADCODE)
Execution cannot reach this statement: "warn_report("PNOR address i...".
266 warn_report("PNOR address is larger than 2^%d, disabling PNOR",
267 BLOCK_SHIFT + 16);
268 return;
269 }
270 if (pnor_addr & ((1U << BLOCK_SHIFT) - 1)) {
271 warn_report("PNOR address is not aligned to 2^%d, disabling
PNOR",
/builds/qemu-project/qemu/hw/ppc/pnv_bmc.c: 271 in pnv_bmc_set_pnor()
265 if (pnor_addr >= 1U << (BLOCK_SHIFT + 16)) {
266 warn_report("PNOR address is larger than 2^%d, disabling PNOR",
267 BLOCK_SHIFT + 16);
268 return;
269 }
270 if (pnor_addr & ((1U << BLOCK_SHIFT) - 1)) {
CID 1593723: (DEADCODE)
Execution cannot reach this statement: "warn_report("PNOR address i...".
271 warn_report("PNOR address is not aligned to 2^%d, disabling
PNOR",
272 BLOCK_SHIFT);
273 return;
274 }
275 if (pnor_size > 1U << (BLOCK_SHIFT + 16)) {
276 warn_report("PNOR size is larger than 2^%d, disabling PNOR",
** CID 1593722: Memory - corruptions (OVERRUN)
/builds/qemu-project/qemu/hw/ppc/spapr.c: 299 in spapr_dt_pa_features()
________________________________________________________________________________________________________
*** CID 1593722: Memory - corruptions (OVERRUN)
/builds/qemu-project/qemu/hw/ppc/spapr.c: 299 in spapr_dt_pa_features()
293 /* Workaround for broken kernels that attempt (guest) radix
294 * mode when they can't handle it, if they see the radix bit set
295 * in pa-features. So hide it from them. */
296 pa_features[40 + 2] &= ~0x80; /* Radix MMU */
297 }
298 if (spapr_get_cap(spapr, SPAPR_CAP_DAWR1)) {
CID 1593722: Memory - corruptions (OVERRUN)
Overrunning array of 26 bytes at byte offset 66 by dereferencing pointer
"pa_features + 66".
299 pa_features[66] |= 0x80;
300 }
301
302 _FDT((fdt_setprop(fdt, offset, "ibm,pa-features", pa_features,
pa_size)));
303 }
304
** CID 1593721: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/builds/qemu-project/qemu/hw/intc/xive2.c: 1338 in xive2_router_end_notify()
________________________________________________________________________________________________________
*** CID 1593721: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/builds/qemu-project/qemu/hw/intc/xive2.c: 1338 in xive2_router_end_notify()
1332 if (!xive2_end_is_valid(&end)) {
1333 qemu_log_mask(LOG_GUEST_ERROR, "XIVE: END %x/%x is invalid\n",
1334 end_blk, end_idx);
1335 return;
1336 }
1337
CID 1593721: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
"be32_to_cpu(end.w6) & (536870912U /* 0x80000000U >> 2 */) & !(be32_to_cpu(end.w6) &
(1073741824U /* 0x80000000U >> 1 */))" is always 0 regardless of the values of its operands. This occurs as the
logical operand of "if".
1338 if (xive2_end_is_crowd(&end) & !xive2_end_is_ignore(&end)) {
1339 qemu_log_mask(LOG_GUEST_ERROR,
1340 "XIVE: invalid END, 'crowd' bit requires 'ignore'
bit\n");
1341 return;
1342 }
1343
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://scan.coverity.com/projects/qemu?tab=overview
To manage Coverity Scan email notifications for "c...@kaod.org", click
https://scan.coverity.com/subscriptions/edit?email=clg%40kaod.org&token=4549557735e1ea1422dff9fceab58944
