ppc/spapr: Fix possible pa_features memory overflow

npiggin · npiggin · commit 965797d19a0d · 2025-03-20T19:57:44.000+10:00
Coverity reports a possible memory overflow in spapr_dt_pa_features(). This should not be a true bug since DAWR1 cap is only be true for CPU_POWERPC_LOGICAL_3_10. Add an assertion to ensure any bug there is caught. Resolves: Coverity CID 1593722 Fixes: 5f361ea ("ppc: spapr: Enable 2nd DAWR on Power10 pSeries machine") Reviewed-By: Shivaprasad G Bhat <sbhat@linux.ibm.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
@@ -296,6 +296,7 @@ static void spapr_dt_pa_features(SpaprMachineState *spapr,
         pa_features[40 + 2] &= ~0x80; /* Radix MMU */
     }
     if (spapr_get_cap(spapr, SPAPR_CAP_DAWR1)) {
+        g_assert(pa_size > 66);
         pa_features[66] |= 0x80;
     }
 

Original file line number	Diff line number	Diff line change
`@@ -296,6 +296,7 @@ static void spapr_dt_pa_features(SpaprMachineState *spapr,`
`296`	`296`	`pa_features[40 + 2] &= ~0x80; /* Radix MMU */`
`297`	`297`	`}`
`298`	`298`	`if (spapr_get_cap(spapr, SPAPR_CAP_DAWR1)) {`
	`299`	`+ g_assert(pa_size > 66);`
`299`	`300`	`pa_features[66] \|= 0x80;`
`300`	`301`	`}`
`301`	`302`