hw/dma/xlnx_dpdma: Read descriptor into buffer, not into pointer-to-buffer

In fdf029762f we factored out the handling of reading and writing
DMA descriptors from guest memory.  Unfortunately we accidentally
made the descriptor-read read the descriptor into the address of the
buffer rather than into the buffer, because we didn't notice we
needed to update the arguments to the dma_memory_read() call. Before
the refactoring, "&desc" is the address of a local struct DPDMADescriptor
variable in xlnx_dpdma_start_operation(), which is the correct target
for the guest-memory-read. But after the refactoring 'desc' is the
"DPDMADescriptor *desc" argument to the new function, and so it is
already an address.

This bug is an overrun of a stack variable, since a pointer is at
most 8 bytes long and we try to read 64 bytes, as well as being
incorrect behaviour.

Pass 'desc' rather than '&desc' as the dma_memory_read() argument
to fix this.

(The same bug is not present in xlnx_dpdma_write_descriptor(),
because there we are writing the descriptor from a local struct
variable "DPDMADescriptor tmp_desc" and so passing &tmp_desc to
dma_memory_write() is correct.)

Spotted by Coverity: CID 1546649

Fixes: fdf029762f ("xlnx_dpdma: fix descriptor endianness bug")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@amd.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20240531124628.476938-1-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
This commit is contained in:
Peter Maydell 2024-05-31 13:46:28 +01:00 committed by Philippe Mathieu-Daudé
parent af1cf62401
commit a7d8244be9

View File

@ -619,7 +619,7 @@ static MemTxResult xlnx_dpdma_read_descriptor(XlnxDPDMAState *s,
DPDMADescriptor *desc) DPDMADescriptor *desc)
{ {
MemTxResult res = dma_memory_read(&address_space_memory, desc_addr, MemTxResult res = dma_memory_read(&address_space_memory, desc_addr,
&desc, sizeof(DPDMADescriptor), desc, sizeof(DPDMADescriptor),
MEMTXATTRS_UNSPECIFIED); MEMTXATTRS_UNSPECIFIED);
if (res) { if (res) {
return res; return res;