spapr_nvram: Check return value from blk_getlength()

Message ID	1496675657-11599-1-git-send-email-peter.maydell@linaro.org
State	Superseded
Headers	show Delivered-To: patches@linaro.org Received-SPF: pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) client-ip=2001:8b0:1d0::2; From: Peter Maydell <peter.maydell@linaro.org> To: qemu-devel@nongnu.org Cc: patches@linaro.org, qemu-ppc@nongnu.org, Alexander Graf <agraf@suse.de>, David Gibson <david@gibson.dropbear.id.au> Subject: [PATCH] spapr_nvram: Check return value from blk_getlength() Date: Mon, 5 Jun 2017 16:14:17 +0100 Message-Id: <1496675657-11599-1-git-send-email-peter.maydell@linaro.org>

Message ID

1496675657-11599-1-git-send-email-peter.maydell@linaro.org

State

Superseded

Headers

Received-SPF: pass (google.com: best guess record for domain of
	pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted
	sender) client-ip=2001:8b0:1d0::2; 
From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-devel@nongnu.org
Cc: patches@linaro.org, qemu-ppc@nongnu.org, Alexander Graf <agraf@suse.de>,
	David Gibson <david@gibson.dropbear.id.au>
Subject: [PATCH] spapr_nvram: Check return value from blk_getlength()
Date: Mon,  5 Jun 2017 16:14:17 +0100
Message-Id: <1496675657-11599-1-git-send-email-peter.maydell@linaro.org>

Commit Message

Peter Maydell June 5, 2017, 3:14 p.m. UTC

The blk_getlength() function can return an error value if the
image size cannot be determined. Check for this rather than
ploughing on and trying to g_malloc0() a negative number.
(Spotted by Coverity, CID 1288484.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

---
 hw/nvram/spapr_nvram.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

-- 
2.7.4

Comments

David Gibson June 5, 2017, 11:19 p.m. UTC | #1

On Mon, Jun 05, 2017 at 04:14:17PM +0100, Peter Maydell wrote:
> The blk_getlength() function can return an error value if the

> image size cannot be determined. Check for this rather than

> ploughing on and trying to g_malloc0() a negative number.

> (Spotted by Coverity, CID 1288484.)

> 

> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>


Applied to ppc-for-2.10, thanks.

> ---

>  hw/nvram/spapr_nvram.c | 10 +++++++++-

>  1 file changed, 9 insertions(+), 1 deletion(-)

> 

> diff --git a/hw/nvram/spapr_nvram.c b/hw/nvram/spapr_nvram.c

> index aa5d2c1..bc355a4 100644

> --- a/hw/nvram/spapr_nvram.c

> +++ b/hw/nvram/spapr_nvram.c

> @@ -144,7 +144,15 @@ static void spapr_nvram_realize(VIOsPAPRDevice *dev, Error **errp)

>      int ret;

>  

>      if (nvram->blk) {

> -        nvram->size = blk_getlength(nvram->blk);

> +        int64_t len = blk_getlength(nvram->blk);

> +

> +        if (len < 0) {

> +            error_setg_errno(errp, -len,

> +                             "could not get length of backing image");

> +            return;

> +        }

> +

> +        nvram->size = len;

>  

>          ret = blk_set_perm(nvram->blk,

>                             BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,


-- 
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson

diff --git a/hw/nvram/spapr_nvram.c b/hw/nvram/spapr_nvram.c
index aa5d2c1..bc355a4 100644
--- a/hw/nvram/spapr_nvram.c
+++ b/hw/nvram/spapr_nvram.c
@@ -144,7 +144,15 @@  static void spapr_nvram_realize(VIOsPAPRDevice *dev, Error **errp)
     int ret;
 
     if (nvram->blk) {
-        nvram->size = blk_getlength(nvram->blk);
+        int64_t len = blk_getlength(nvram->blk);
+
+        if (len < 0) {
+            error_setg_errno(errp, -len,
+                             "could not get length of backing image");
+            return;
+        }
+
+        nvram->size = len;
 
         ret = blk_set_perm(nvram->blk,
                            BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,

spapr_nvram: Check return value from blk_getlength()

Commit Message

Comments

Patch