aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter Maydell <peter.maydell@linaro.org>2017-10-10 16:54:16 +0100
committerPeter Maydell <peter.maydell@linaro.org>2017-10-12 16:33:16 +0100
commitcf5f7937b05c84d5565134f058c00cd48304a117 (patch)
tree74f97fd1d01bc8f8b372387bd98d08a7ad12c7df
parenta94bb9cd586c50d13b68e5fa4628cc36e29805c4 (diff)
downloadqemu-arm-cf5f7937b05c84d5565134f058c00cd48304a117.tar.gz
nvic: Fix miscalculation of offsets into ITNS arraypull-target-arm-20171012
This calculation of the first exception vector in the ITNS<n> register being accessed: int startvec = 32 * (offset - 0x380) + NVIC_FIRST_IRQ; is incorrect, because offset is in bytes, so we only want to multiply by 8. Spotted by Coverity (CID 1381484, CID 1381488), though it is not correct that it actually overflows the buffer, because we have a 'startvec + i < s->num_irq' guard. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 1507650856-11718-1-git-send-email-peter.maydell@linaro.org
-rw-r--r--hw/intc/armv7m_nvic.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index a42961c643..be46639b63 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -698,7 +698,7 @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
return ((s->num_irq - NVIC_FIRST_IRQ) / 32) - 1;
case 0x380 ... 0x3bf: /* NVIC_ITNS<n> */
{
- int startvec = 32 * (offset - 0x380) + NVIC_FIRST_IRQ;
+ int startvec = 8 * (offset - 0x380) + NVIC_FIRST_IRQ;
int i;
if (!arm_feature(&cpu->env, ARM_FEATURE_V8)) {
@@ -1102,7 +1102,7 @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
switch (offset) {
case 0x380 ... 0x3bf: /* NVIC_ITNS<n> */
{
- int startvec = 32 * (offset - 0x380) + NVIC_FIRST_IRQ;
+ int startvec = 8 * (offset - 0x380) + NVIC_FIRST_IRQ;
int i;
if (!arm_feature(&cpu->env, ARM_FEATURE_V8)) {