In tpm_tis_mmio_read(), tpm_tis_mmio_write() and
tpm_tis_dump_state(), we calculate a locality index with
tpm_tis_locality_from_addr() and then use it as an index into the
s->loc[] array. In all these cases, the array index can't overflow
because the MemoryRegion is sized to be TPM_TIS_NUM_LOCALITIES <<
TPM_TIS_LOCALITY_SHIFT bytes. However, Coverity can't see that, and
it complains (CID 1487138, 1487180, 1487188, 1487198, 1487240).
---
Tested with 'make check' only...
hw/tpm/tpm_tis_common.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/hw/tpm/tpm_tis_common.c b/hw/tpm/tpm_tis_common.c
index e700d821816..81edae410c8 100644
--- a/hw/tpm/tpm_tis_common.c
+++ b/hw/tpm/tpm_tis_common.c
@@ -295,6 +295,8 @@ static void tpm_tis_dump_state(TPMState *s, hwaddr addr)
uint8_t locty = tpm_tis_locality_from_addr(addr);
hwaddr base = addr & ~0xfff;
+ assert(TPM_TIS_IS_VALID_LOCTY(locty));
+
printf("tpm_tis: active locality : %d\n"
"tpm_tis: state of locality %d : %d\n"
"tpm_tis: register dump:\n",
@@ -336,6 +338,8 @@ static uint64_t tpm_tis_mmio_read(void *opaque, hwaddr addr,
uint32_t avail;
uint8_t v;
+ assert(TPM_TIS_IS_VALID_LOCTY(locty));
+
if (tpm_backend_had_startup_error(s->be_driver)) {
return 0;
}
@@ -458,6 +462,8 @@ static void tpm_tis_mmio_write(void *opaque, hwaddr addr,
uint16_t len;
uint32_t mask = (size == 1) ? 0xff : ((size == 2) ? 0xffff : ~0);
+ assert(TPM_TIS_IS_VALID_LOCTY(locty));
+
trace_tpm_tis_mmio_write(size, addr, val);
if (locty == 4) {