From patchwork Thu Apr 25 10:39:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 791990 Delivered-To: patch@linaro.org Received: by 2002:a5d:4884:0:b0:346:15ad:a2a with SMTP id g4csp1311308wrq; Thu, 25 Apr 2024 03:40:40 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCW9VigJBSK+MGoyOdi6TXSup5az4AV9PnrOi/32KU3qOtzDltcZSWWQG39QqGtXO/iuarDMxAya5Lne6Keb2FhX X-Google-Smtp-Source: AGHT+IFTAp6cdvR8bmhjRgBLkbARN7u44Q2gn8d+N2QVK8Nj6JiUoEA3eehpy/C3JNRQd8Gmbj7D X-Received: by 2002:a05:6358:4b0f:b0:17f:7206:fd81 with SMTP id kr15-20020a0563584b0f00b0017f7206fd81mr7216561rwc.20.1714041639770; Thu, 25 Apr 2024 03:40:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1714041639; cv=none; d=google.com; s=arc-20160816; b=pWS4CCeJGZKzSsiukyw8kWAeC5vcjIALpw30N74SPaPkQCjWF489oc+9Q4XGJgOJru 6MwC7kDQXIK6iCw3XIxWjHkCXCbJ3WLPbaJu1/TypdZse+YCqxht0dLvh/rUJWqvhIJD GUfbpflQlB4KI6flF3Q0Dxuu+6V8pEHv0WHZxFp8kBHU8e47qWC9o/ki2lOePqS9nQuC a1zdGGeTsOo/0VnMIxTPdC1rU5v/fcL4KhC8VUlnIt37CDEVGxPMsRbMGUtSHickoD1f qBeTixj1m9kZr2QugtrIsuZ8CqP6QIWgCc3qRu2TNpNRfQcNydAzwfy3nmvEXJNiJ+yJ RedQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:to:from :dkim-signature; bh=DC9SqOM/M/fO+YfMesu8LY8qeYkZJ02Q4hHEAc7RbS4=; fh=PnYt+qEB9tAfMKoqBm2xjKOFpYyFFGPudh5cVIoieJM=; b=C4kXOVEViowl/FJIK6KRRrZ4bvrkOaDPGZguD3SdZ2SiTUce13I2ZmfG11fqvmnuTK RdwYaMzK107CdfH2C8RQfYD0RKxZsujlZZuBVw467uXWEKwdVf3cAMXPwAHTCUHqOLNy KdSAPatxGw97te2rDJWg/mgGtVsiQNBbcZuG8GMFv2XYspn0dtETdBqti1j+TacWGUm4 Nml+bJfvTu88zsdhR/2VjzW9eNJB8gHTQ5ZlToLa90jSkHhO7f2meof53E7zSaCTQHKC knN5RU/hS7Ya3FmYIgcxXf5rDjZCMkpqsRCIlMZHY/fPs8vGvgG61SZaRTuHFLMSh9rz k0vg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Qi4WUPJJ; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id l10-20020a05622a050a00b0043a13bee3acsi3997238qtx.419.2024.04.25.03.40.39 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 25 Apr 2024 03:40:39 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Qi4WUPJJ; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rzwWa-000277-Mm; Thu, 25 Apr 2024 06:40:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rzwWW-00022m-KF for qemu-devel@nongnu.org; Thu, 25 Apr 2024 06:40:16 -0400 Received: from mail-wm1-x334.google.com ([2a00:1450:4864:20::334]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rzwWU-0007Dh-QI for qemu-devel@nongnu.org; Thu, 25 Apr 2024 06:40:16 -0400 Received: by mail-wm1-x334.google.com with SMTP id 5b1f17b1804b1-41b6254a47cso1268565e9.3 for ; Thu, 25 Apr 2024 03:40:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1714041613; x=1714646413; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=DC9SqOM/M/fO+YfMesu8LY8qeYkZJ02Q4hHEAc7RbS4=; b=Qi4WUPJJiHHmhe51nvauQDjTLKTJaOJU6OwMzEgqwR2cr6VwmkL4B7UsUzij8Hd3V+ wHfPjpu6Eilh0ijoImC8DG5OzkHFAdRJvAiGZ7xqX7kF/Czqu4g72dwGdW5XXmiGx+Ss NFN7mGQzBh5DcuCw08Z9TSJCykQSl74ZDFwxblWjf1R4maCeKxupEtWtjgol/D4dMVWH h0mj/Ohyc1lPz/bK0TFL26iE82PdL/2EMRH0FquNM2uL7e2lEGk+W4n9FvHQHgbnLYU7 ZS2CSfCF7/kjiGhaFisrnYNDtltgc/f3MlDXvcELcAJJff1mycV34oyp84rr+OV1xytM xQYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714041613; x=1714646413; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DC9SqOM/M/fO+YfMesu8LY8qeYkZJ02Q4hHEAc7RbS4=; b=a3YTWjCzNXhcIuTyiTBx+rQrv0BKoMB7u/o24uM21mYPXG/HHQFJVTYHUwsnUqC/+a Rbh1KN9GiHLYDenm46RU+bCGTU2nt8R2fMPYqz1m01mRf9lxHi+ceXi94LFBhRLt9435 4F86s6eSjw5Eewt/rm9vLVesv/pVhs+LDYPx/1u3kKmPUKrkmjaIjPCmHn2e/HXOlUeK //Ij9R2Thw6BCS8BtffnPBeRlCBJiziRR7O4pubmSyRzMzr9TekLkAWtaXS+2o5TlaBQ Wj3DaC8Tz4NW1NCp43BTWKZC+hIqnAxd04T+H6infIho01XcApRsedlXDlgINr3yiwvA Kg1g== X-Gm-Message-State: AOJu0Yx1Jdm/thJS2/eGB9QH+6Cx1QIQ6jP/IafbhEX34cdC9v1GWbGI WWmHP4H/Mt3y/ZV8SkXZQbQQzjyl7TQ8NDWtmEu4wc63HUnWzFJ18gR7mV4vLvNa+Kjn1jCdzD0 s X-Received: by 2002:a05:6000:d87:b0:348:c2c7:9f13 with SMTP id dv7-20020a0560000d8700b00348c2c79f13mr4099675wrb.65.1714041613014; Thu, 25 Apr 2024 03:40:13 -0700 (PDT) Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by smtp.gmail.com with ESMTPSA id h15-20020a056000000f00b003434c764f01sm19485768wrx.107.2024.04.25.03.40.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Apr 2024 03:40:12 -0700 (PDT) From: Peter Maydell To: qemu-devel@nongnu.org Subject: [PULL 25/37] hw/dma: avoid apparent overflow in soc_dma_set_request Date: Thu, 25 Apr 2024 11:39:46 +0100 Message-Id: <20240425103958.3237225-26-peter.maydell@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240425103958.3237225-1-peter.maydell@linaro.org> References: <20240425103958.3237225-1-peter.maydell@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::334; envelope-from=peter.maydell@linaro.org; helo=mail-wm1-x334.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Anastasia Belova In soc_dma_set_request() we try to set a bit in a uint64_t, but we do it with "1 << ch->num", which can't set any bits past 31; any use for a channel number of 32 or more would fail due to integer overflow. This doesn't happen in practice for our current use of this code, because the worst case is when we call soc_dma_init() with an argument of 32 for the number of channels, and QEMU builds with -fwrapv so the shift into the sign bit is well-defined. However, it's obviously not the intended behaviour of the code. Add casts to force the shift to be done as 64-bit arithmetic, allowing up to 64 channels. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: afbb5194d4 ("Handle on-chip DMA controllers in one place, convert OMAP DMA to use it.") Signed-off-by: Anastasia Belova Message-id: 20240409115301.21829-1-abelova@astralinux.ru [PMM: Edit commit message to clarify that this doesn't actually bite us in our current usage of this code.] Reviewed-by: Peter Maydell Signed-off-by: Peter Maydell --- hw/dma/soc_dma.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/dma/soc_dma.c b/hw/dma/soc_dma.c index 3a430057f54..d5c52b804f8 100644 --- a/hw/dma/soc_dma.c +++ b/hw/dma/soc_dma.c @@ -209,9 +209,9 @@ void soc_dma_set_request(struct soc_dma_ch_s *ch, int level) dma->enabled_count += level - ch->enable; if (level) - dma->ch_enable_mask |= 1 << ch->num; + dma->ch_enable_mask |= (uint64_t)1 << ch->num; else - dma->ch_enable_mask &= ~(1 << ch->num); + dma->ch_enable_mask &= ~((uint64_t)1 << ch->num); if (level != ch->enable) { soc_dma_ch_freq_update(dma);