Message ID | 20180114225543.24006-1-frasse.iglesias@gmail.com |
---|---|
State | New |
Headers | show |
Series | xilinx_spips: Correct usage of an uninitialized local variable | expand |
On 14 January 2018 at 22:55, Francisco Iglesias <frasse.iglesias@gmail.com> wrote: > Coverity found that the variable tx_rx in the function > xilinx_spips_flush_txfifo was being used uninitialized (CID 1383841). This > patch corrects this by always initializing tx_rx to zeros. > > Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com> > --- > hw/ssi/xilinx_spips.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c > index d8187fa..77e1bbe 100644 > --- a/hw/ssi/xilinx_spips.c > +++ b/hw/ssi/xilinx_spips.c > @@ -210,6 +210,8 @@ > #define SNOOP_NONE 0xEE > #define SNOOP_STRIPING 0 > > +#define MAX_NUM_EFFECTIVE_BUSSES 2 > + > static inline int num_effective_busses(XilinxSPIPS *s) > { > return (s->regs[R_LQSPI_CFG] & LQSPI_CFG_SEP_BUS && > @@ -573,7 +575,7 @@ static void xilinx_spips_flush_txfifo(XilinxSPIPS *s) > for (;;) { > int i; > uint8_t tx = 0; > - uint8_t tx_rx[num_effective_busses(s)]; > + uint8_t tx_rx[MAX_NUM_EFFECTIVE_BUSSES] = { 0 }; > uint8_t dummy_cycles = 0; > uint8_t addr_length; It doesn't look like your device's realize method is sanity checking the num_busses property, so this change means that the user can make the device model segfault by passing it a num_busses property value larger than 2... thanks -- PMM
On Tuesday, 16 January 2018, Peter Maydell <peter.maydell@linaro.org> wrote: > On 14 January 2018 at 22:55, Francisco Iglesias > <frasse.iglesias@gmail.com> wrote: > > Coverity found that the variable tx_rx in the function > > xilinx_spips_flush_txfifo was being used uninitialized (CID 1383841). > This > > patch corrects this by always initializing tx_rx to zeros. > > > > Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com> > > --- > > hw/ssi/xilinx_spips.c | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c > > index d8187fa..77e1bbe 100644 > > --- a/hw/ssi/xilinx_spips.c > > +++ b/hw/ssi/xilinx_spips.c > > @@ -210,6 +210,8 @@ > > #define SNOOP_NONE 0xEE > > #define SNOOP_STRIPING 0 > > > > +#define MAX_NUM_EFFECTIVE_BUSSES 2 > > + > > static inline int num_effective_busses(XilinxSPIPS *s) > > { > > return (s->regs[R_LQSPI_CFG] & LQSPI_CFG_SEP_BUS && > > @@ -573,7 +575,7 @@ static void xilinx_spips_flush_txfifo(XilinxSPIPS > *s) > > for (;;) { > > int i; > > uint8_t tx = 0; > > - uint8_t tx_rx[num_effective_busses(s)]; > > + uint8_t tx_rx[MAX_NUM_EFFECTIVE_BUSSES] = { 0 }; > > uint8_t dummy_cycles = 0; > > uint8_t addr_length; > > It doesn't look like your device's realize method is sanity checking > the num_busses property, so this change means that the user can > make the device model segfault by passing it a num_busses property > value larger than 2... > > thanks > -- PMM > Hi Peter, Thank you very much for reviewing the patch and I apologize for missing out on above. I'll look into a correction and create a new version of the patch. Best regards, Francisco Iglesias
diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c index d8187fa..77e1bbe 100644 --- a/hw/ssi/xilinx_spips.c +++ b/hw/ssi/xilinx_spips.c @@ -210,6 +210,8 @@ #define SNOOP_NONE 0xEE #define SNOOP_STRIPING 0 +#define MAX_NUM_EFFECTIVE_BUSSES 2 + static inline int num_effective_busses(XilinxSPIPS *s) { return (s->regs[R_LQSPI_CFG] & LQSPI_CFG_SEP_BUS && @@ -573,7 +575,7 @@ static void xilinx_spips_flush_txfifo(XilinxSPIPS *s) for (;;) { int i; uint8_t tx = 0; - uint8_t tx_rx[num_effective_busses(s)]; + uint8_t tx_rx[MAX_NUM_EFFECTIVE_BUSSES] = { 0 }; uint8_t dummy_cycles = 0; uint8_t addr_length;
Coverity found that the variable tx_rx in the function xilinx_spips_flush_txfifo was being used uninitialized (CID 1383841). This patch corrects this by always initializing tx_rx to zeros. Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com> --- hw/ssi/xilinx_spips.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)