search

nutanix / libvfio-user

framework for emulating devices in userspace
BSD 3-Clause "New" or "Revised" License
164 stars 51 forks source link

fix: minor memory bugs #784

Closed w-henderson closed 1 year ago

w-henderson commented 1 year ago

Fixes the following Coverity reports:

** CID 417161:  Memory - corruptions  (ARRAY_VS_SINGLETON)
/samples/server.c: 438 in migration_write_data()

________________________________________________________________________________________________________
*** CID 417161:  Memory - corruptions  (ARRAY_VS_SINGLETON)
/samples/server.c: 438 in migration_write_data()
432         }
433    
434         /* write to bar0, if any */
435         if (write_end > server_data->bar1_size) {
436             length_in_bar0 = write_end - write_start;
437             write_start -= server_data->bar1_size;
     CID 417161:  Memory - corruptions  (ARRAY_VS_SINGLETON)
     Using "&server_data->bar0" as an array.  This might corrupt or misinterpret adjacent memory locations.
438             memcpy(&server_data->bar0 + write_start, buf + length_in_bar1,
439                    length_in_bar0);
440         }
441    
442         server_data->migration.bytes_transferred += bytes_written;
443    

** CID 417160:  Memory - corruptions  (ARRAY_VS_SINGLETON)
/samples/server.c: 394 in migration_read_data()

________________________________________________________________________________________________________
*** CID 417160:  Memory - corruptions  (ARRAY_VS_SINGLETON)
/samples/server.c: 394 in migration_read_data()
388         }
389    
390         /* read bar0, if any */
391         if (read_end > server_data->bar1_size) {
392             length_in_bar0 = read_end - read_start;
393             read_start -= server_data->bar1_size;
     CID 417160:  Memory - corruptions  (ARRAY_VS_SINGLETON)
     Using "&server_data->bar0" as an array.  This might corrupt or misinterpret adjacent memory locations.
394             memcpy(buf + length_in_bar1, &server_data->bar0 + read_start,
395                    length_in_bar0);
396         }
397    
398         server_data->migration.bytes_transferred += bytes_read;
399    

** CID 417159:  Possible Control flow issues  (DEADCODE)
/lib/libvfio-user.c: 121 in dev_get_caps()

________________________________________________________________________________________________________
*** CID 417159:  Possible Control flow issues  (DEADCODE)
/lib/libvfio-user.c: 121 in dev_get_caps()
115    
116         header = (struct vfio_info_cap_header*)(vfio_reg + 1);
117    
118         if (vfu_reg->mmap_areas != NULL) {
119             int i, nr_mmap_areas = vfu_reg->nr_mmap_areas;
120             if (type != NULL) {
     CID 417159:  Possible Control flow issues  (DEADCODE)
     Execution cannot reach this statement: "type->header.next = vfio_re...".
121                 type->header.next = vfio_reg->cap_offset + sizeof(struct vfio_region_info_cap_type);
122                 sparse = (struct vfio_region_info_cap_sparse_mmap*)(type + 1);
123             } else {
124                 vfio_reg->cap_offset = sizeof(struct vfio_region_info);
125                 sparse = (struct vfio_region_info_cap_sparse_mmap*)header;
126             }
jlevon commented 1 year ago

please add the actual reports from coverity to the commit msg

w-henderson commented 1 year ago

@jlevon Will this actually resolve the report? Given that we're still doing pointer arithmetic on a pointer that doesn't point to an array?

jlevon commented 1 year ago

@jlevon Will this actually resolve the report? Given that we're still doing pointer arithmetic on a pointer that doesn't point to an array?

should do yes