From: Peter Maydell <peter.maydell@linaro.org>
Date: Fri, 30 Aug 2024 17:34:52 +0000 (+0100)
Subject: hw/nubus/nubus-device: Range check 'slot' property
X-Git-Tag: v9.2.0-rc0~98^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=df827aace663fdd9c432e2ff76fb13d20cbc0ca4;p=thirdparty%2Fqemu.git

hw/nubus/nubus-device: Range check 'slot' property

The TYPE_NUBUS_DEVICE class lets the user specify the nubus slot
using an int32 "slot" QOM property.  Its realize method doesn't do
any range checking on this value, which Coverity notices by way of
the possibility that 'nd->slot * NUBUS_SUPER_SLOT_SIZE' might
overflow the 32-bit arithmetic it is using.

Constrain the slot value to be less than NUBUS_SLOT_NB (16).

Resolves: Coverity CID 1464070
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-ID: <20240830173452.2086140-4-peter.maydell@linaro.org>
Reviewed-by: Thomas Huth <huth@tuxfamily.org>
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: Thomas Huth <huth@tuxfamily.org>
---

diff --git a/hw/nubus/nubus-device.c b/hw/nubus/nubus-device.c
index be4cb246966..26fbcf29a2b 100644
--- a/hw/nubus/nubus-device.c
+++ b/hw/nubus/nubus-device.c
@@ -35,6 +35,13 @@ static void nubus_device_realize(DeviceState *dev, Error **errp)
     uint8_t *rom_ptr;
     int ret;
 
+    if (nd->slot < 0 || nd->slot >= NUBUS_SLOT_NB) {
+        error_setg(errp,
+                   "'slot' value %d out of range (must be between 0 and %d)",
+                   nd->slot, NUBUS_SLOT_NB - 1);
+        return;
+    }
+
     /* Super */
     slot_offset = nd->slot * NUBUS_SUPER_SLOT_SIZE;