Message ID | 20200324212103.7616-1-peter.maydell@linaro.org |
---|---|
State | Superseded |
Headers | show |
Series | hw/net/allwinner-sun8i-emac.c: Fix REG_ADDR_HIGH/LOW reads | expand |
On 3/24/20 2:21 PM, Peter Maydell wrote: > Coverity points out (CID 1421926) that the read code for > REG_ADDR_HIGH reads off the end of the buffer, because it does a > 32-bit read from byte 4 of a 6-byte buffer. > > The code also has an endianness issue for both REG_ADDR_HIGH and > REG_ADDR_LOW, because it will do the wrong thing on a big-endian > host. > > Rewrite the read code to use ldl_le_p() and lduw_le_p() to fix this; > the write code is not incorrect, but for consistency we make it use > stl_le_p() and stw_le_p(). > > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> > --- > hw/net/allwinner-sun8i-emac.c | 12 ++++-------- > 1 file changed, 4 insertions(+), 8 deletions(-) Reviewed-by: Richard Henderson <richard.henderson@linaro.org> r~
On Tue, Mar 24, 2020 at 10:21 PM Peter Maydell <peter.maydell@linaro.org> wrote: > Coverity points out (CID 1421926) that the read code for > REG_ADDR_HIGH reads off the end of the buffer, because it does a > 32-bit read from byte 4 of a 6-byte buffer. > > The code also has an endianness issue for both REG_ADDR_HIGH and > REG_ADDR_LOW, because it will do the wrong thing on a big-endian > host. > > Rewrite the read code to use ldl_le_p() and lduw_le_p() to fix this; > the write code is not incorrect, but for consistency we make it use > stl_le_p() and stw_le_p(). > > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> > Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com> Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com> By the way, is the coverity output of master publically available by any chance? Regards, Niek > --- > hw/net/allwinner-sun8i-emac.c | 12 ++++-------- > 1 file changed, 4 insertions(+), 8 deletions(-) > > diff --git a/hw/net/allwinner-sun8i-emac.c b/hw/net/allwinner-sun8i-emac.c > index 3fc5e346401..fc67a1be70a 100644 > --- a/hw/net/allwinner-sun8i-emac.c > +++ b/hw/net/allwinner-sun8i-emac.c > @@ -611,10 +611,10 @@ static uint64_t allwinner_sun8i_emac_read(void > *opaque, hwaddr offset, > value = s->mii_data; > break; > case REG_ADDR_HIGH: /* MAC Address High */ > - value = *(((uint32_t *) (s->conf.macaddr.a)) + 1); > + value = lduw_le_p(s->conf.macaddr.a + 4); > break; > case REG_ADDR_LOW: /* MAC Address Low */ > - value = *(uint32_t *) (s->conf.macaddr.a); > + value = ldl_le_p(s->conf.macaddr.a); > break; > case REG_TX_DMA_STA: /* Transmit DMA Status */ > break; > @@ -728,14 +728,10 @@ static void allwinner_sun8i_emac_write(void *opaque, > hwaddr offset, > s->mii_data = value; > break; > case REG_ADDR_HIGH: /* MAC Address High */ > - s->conf.macaddr.a[4] = (value & 0xff); > - s->conf.macaddr.a[5] = (value & 0xff00) >> 8; > + stw_le_p(s->conf.macaddr.a + 4, value); > break; > case REG_ADDR_LOW: /* MAC Address Low */ > - s->conf.macaddr.a[0] = (value & 0xff); > - s->conf.macaddr.a[1] = (value & 0xff00) >> 8; > - s->conf.macaddr.a[2] = (value & 0xff0000) >> 16; > - s->conf.macaddr.a[3] = (value & 0xff000000) >> 24; > + stl_le_p(s->conf.macaddr.a, value); > break; > case REG_TX_DMA_STA: /* Transmit DMA Status */ > case REG_TX_CUR_DESC: /* Transmit Current Descriptor */ > -- > 2.20.1 > > -- Niek Linnenbank <div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Mar 24, 2020 at 10:21 PM Peter Maydell <<a href="mailto:peter.maydell@linaro.org">peter.maydell@linaro.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Coverity points out (CID 1421926) that the read code for<br> REG_ADDR_HIGH reads off the end of the buffer, because it does a<br> 32-bit read from byte 4 of a 6-byte buffer.<br> <br> The code also has an endianness issue for both REG_ADDR_HIGH and<br> REG_ADDR_LOW, because it will do the wrong thing on a big-endian<br> host.<br> <br> Rewrite the read code to use ldl_le_p() and lduw_le_p() to fix this;<br> the write code is not incorrect, but for consistency we make it use<br> stl_le_p() and stw_le_p().<br> <br> Signed-off-by: Peter Maydell <<a href="mailto:peter.maydell@linaro.org" target="_blank">peter.maydell@linaro.org</a>><br></blockquote><div>Tested-by: Niek Linnenbank <<a href="mailto:nieklinnenbank@gmail.com">nieklinnenbank@gmail.com</a>></div><div>Reviewed-by: Niek Linnenbank <<a href="mailto:nieklinnenbank@gmail.com">nieklinnenbank@gmail.com</a>><br></div><div><br></div><div>By the way, is the coverity output of master publically available by any chance?<br></div><div><br></div><div>Regards,</div><div>Niek<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> ---<br> hw/net/allwinner-sun8i-emac.c | 12 ++++--------<br> 1 file changed, 4 insertions(+), 8 deletions(-)<br> <br> diff --git a/hw/net/allwinner-sun8i-emac.c b/hw/net/allwinner-sun8i-emac.c<br> index 3fc5e346401..fc67a1be70a 100644<br> --- a/hw/net/allwinner-sun8i-emac.c<br> +++ b/hw/net/allwinner-sun8i-emac.c<br> @@ -611,10 +611,10 @@ static uint64_t allwinner_sun8i_emac_read(void *opaque, hwaddr offset,<br> value = s->mii_data;<br> break;<br> case REG_ADDR_HIGH: /* MAC Address High */<br> - value = *(((uint32_t *) (s->conf.macaddr.a)) + 1);<br> + value = lduw_le_p(s->conf.macaddr.a + 4);<br> break;<br> case REG_ADDR_LOW: /* MAC Address Low */<br> - value = *(uint32_t *) (s->conf.macaddr.a);<br> + value = ldl_le_p(s->conf.macaddr.a);<br> break;<br> case REG_TX_DMA_STA: /* Transmit DMA Status */<br> break;<br> @@ -728,14 +728,10 @@ static void allwinner_sun8i_emac_write(void *opaque, hwaddr offset,<br> s->mii_data = value;<br> break;<br> case REG_ADDR_HIGH: /* MAC Address High */<br> - s->conf.macaddr.a[4] = (value & 0xff);<br> - s->conf.macaddr.a[5] = (value & 0xff00) >> 8;<br> + stw_le_p(s->conf.macaddr.a + 4, value);<br> break;<br> case REG_ADDR_LOW: /* MAC Address Low */<br> - s->conf.macaddr.a[0] = (value & 0xff);<br> - s->conf.macaddr.a[1] = (value & 0xff00) >> 8;<br> - s->conf.macaddr.a[2] = (value & 0xff0000) >> 16;<br> - s->conf.macaddr.a[3] = (value & 0xff000000) >> 24;<br> + stl_le_p(s->conf.macaddr.a, value);<br> break;<br> case REG_TX_DMA_STA: /* Transmit DMA Status */<br> case REG_TX_CUR_DESC: /* Transmit Current Descriptor */<br> -- <br> 2.20.1<br> <br> </blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div>Niek Linnenbank<br><br></div></div></div></div>
On Wed, 25 Mar 2020 at 21:03, Niek Linnenbank <nieklinnenbank@gmail.com> wrote:
> By the way, is the coverity output of master publically available by any chance?
We use the public 'coverity scan' service:
https://scan.coverity.com/projects/qemu
You can create an account and look at the defects if you
like, but we don't generally expect everybody to do that.
Some of us tend to triage new issues as they come in and
report the non-false-positives to the list.
thanks
-- PMM
On 2020/3/25 上午5:21, Peter Maydell wrote: > Coverity points out (CID 1421926) that the read code for > REG_ADDR_HIGH reads off the end of the buffer, because it does a > 32-bit read from byte 4 of a 6-byte buffer. > > The code also has an endianness issue for both REG_ADDR_HIGH and > REG_ADDR_LOW, because it will do the wrong thing on a big-endian > host. > > Rewrite the read code to use ldl_le_p() and lduw_le_p() to fix this; > the write code is not incorrect, but for consistency we make it use > stl_le_p() and stw_le_p(). > > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> > --- > hw/net/allwinner-sun8i-emac.c | 12 ++++-------- > 1 file changed, 4 insertions(+), 8 deletions(-) > > diff --git a/hw/net/allwinner-sun8i-emac.c b/hw/net/allwinner-sun8i-emac.c > index 3fc5e346401..fc67a1be70a 100644 > --- a/hw/net/allwinner-sun8i-emac.c > +++ b/hw/net/allwinner-sun8i-emac.c > @@ -611,10 +611,10 @@ static uint64_t allwinner_sun8i_emac_read(void *opaque, hwaddr offset, > value = s->mii_data; > break; > case REG_ADDR_HIGH: /* MAC Address High */ > - value = *(((uint32_t *) (s->conf.macaddr.a)) + 1); > + value = lduw_le_p(s->conf.macaddr.a + 4); > break; > case REG_ADDR_LOW: /* MAC Address Low */ > - value = *(uint32_t *) (s->conf.macaddr.a); > + value = ldl_le_p(s->conf.macaddr.a); > break; > case REG_TX_DMA_STA: /* Transmit DMA Status */ > break; > @@ -728,14 +728,10 @@ static void allwinner_sun8i_emac_write(void *opaque, hwaddr offset, > s->mii_data = value; > break; > case REG_ADDR_HIGH: /* MAC Address High */ > - s->conf.macaddr.a[4] = (value & 0xff); > - s->conf.macaddr.a[5] = (value & 0xff00) >> 8; > + stw_le_p(s->conf.macaddr.a + 4, value); > break; > case REG_ADDR_LOW: /* MAC Address Low */ > - s->conf.macaddr.a[0] = (value & 0xff); > - s->conf.macaddr.a[1] = (value & 0xff00) >> 8; > - s->conf.macaddr.a[2] = (value & 0xff0000) >> 16; > - s->conf.macaddr.a[3] = (value & 0xff000000) >> 24; > + stl_le_p(s->conf.macaddr.a, value); > break; > case REG_TX_DMA_STA: /* Transmit DMA Status */ > case REG_TX_CUR_DESC: /* Transmit Current Descriptor */ Applied. Thanks
diff --git a/hw/net/allwinner-sun8i-emac.c b/hw/net/allwinner-sun8i-emac.c index 3fc5e346401..fc67a1be70a 100644 --- a/hw/net/allwinner-sun8i-emac.c +++ b/hw/net/allwinner-sun8i-emac.c @@ -611,10 +611,10 @@ static uint64_t allwinner_sun8i_emac_read(void *opaque, hwaddr offset, value = s->mii_data; break; case REG_ADDR_HIGH: /* MAC Address High */ - value = *(((uint32_t *) (s->conf.macaddr.a)) + 1); + value = lduw_le_p(s->conf.macaddr.a + 4); break; case REG_ADDR_LOW: /* MAC Address Low */ - value = *(uint32_t *) (s->conf.macaddr.a); + value = ldl_le_p(s->conf.macaddr.a); break; case REG_TX_DMA_STA: /* Transmit DMA Status */ break; @@ -728,14 +728,10 @@ static void allwinner_sun8i_emac_write(void *opaque, hwaddr offset, s->mii_data = value; break; case REG_ADDR_HIGH: /* MAC Address High */ - s->conf.macaddr.a[4] = (value & 0xff); - s->conf.macaddr.a[5] = (value & 0xff00) >> 8; + stw_le_p(s->conf.macaddr.a + 4, value); break; case REG_ADDR_LOW: /* MAC Address Low */ - s->conf.macaddr.a[0] = (value & 0xff); - s->conf.macaddr.a[1] = (value & 0xff00) >> 8; - s->conf.macaddr.a[2] = (value & 0xff0000) >> 16; - s->conf.macaddr.a[3] = (value & 0xff000000) >> 24; + stl_le_p(s->conf.macaddr.a, value); break; case REG_TX_DMA_STA: /* Transmit DMA Status */ case REG_TX_CUR_DESC: /* Transmit Current Descriptor */
Coverity points out (CID 1421926) that the read code for REG_ADDR_HIGH reads off the end of the buffer, because it does a 32-bit read from byte 4 of a 6-byte buffer. The code also has an endianness issue for both REG_ADDR_HIGH and REG_ADDR_LOW, because it will do the wrong thing on a big-endian host. Rewrite the read code to use ldl_le_p() and lduw_le_p() to fix this; the write code is not incorrect, but for consistency we make it use stl_le_p() and stw_le_p(). Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/net/allwinner-sun8i-emac.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) -- 2.20.1