summaryrefslogtreecommitdiffstats
path: root/hw/block
diff options
context:
space:
mode:
authorKlaus Jensen2021-03-12 14:55:29 +0100
committerKlaus Jensen2021-03-18 12:34:51 +0100
commit9c62f1efa854e66ebb0650d85918e4fecd3ec648 (patch)
tree694e900c27622417827de7a8186cef7c3645881c /hw/block
parentMerge remote-tracking branch 'remotes/vivier/tags/q800-for-6.0-pull-request' ... (diff)
downloadqemu-9c62f1efa854e66ebb0650d85918e4fecd3ec648.tar.gz
qemu-9c62f1efa854e66ebb0650d85918e4fecd3ec648.tar.xz
qemu-9c62f1efa854e66ebb0650d85918e4fecd3ec648.zip
hw/block/nvme: fix potential overflow
page_size is a uint32_t, and zasl is a uint8_t, so the expression `page_size << zasl` is done using 32-bit arithmetic and might overflow. Since we then compare this against a 64 bit data_size value, Coverity complains that we might overflow unintentionally. An MDTS/ZASL value in excess of 4GiB is probably impractical, but it is not entirely unrealistic, so add a cast such that we handle that case properly. Fixes: 578d914b263c ("hw/block/nvme: align zoned.zasl with mdts") Fixes: CID 1450756 Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Diffstat (limited to 'hw/block')
-rw-r--r--hw/block/nvme.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/hw/block/nvme.c b/hw/block/nvme.c
index d439e44db8..0d9b980151 100644
--- a/hw/block/nvme.c
+++ b/hw/block/nvme.c
@@ -2188,7 +2188,8 @@ static uint16_t nvme_do_write(NvmeCtrl *n, NvmeRequest *req, bool append,
goto invalid;
}
- if (n->params.zasl && data_size > n->page_size << n->params.zasl) {
+ if (n->params.zasl &&
+ data_size > (uint64_t)n->page_size << n->params.zasl) {
trace_pci_nvme_err_zasl(data_size);
return NVME_INVALID_FIELD | NVME_DNR;
}