[PATCH v2 0/2] hw/i2c/aspeed_i2c: Fix out-of-bounds read in I2C MMIO

[PATCH v2 0/2] hw/i2c/aspeed_i2c: Fix out-of-bounds read in I2C MMIO

[Jamin Lin]

v1:
 1. Fix Out-of-Bounds access by using dynamic register array

v2:
 1. Fix Out-of-Bounds access by increasing static array size
 2. Increase I2C device register size to 0xA0 for AST2700 A1

Jamin Lin (2):
  hw/i2c/aspeed_i2c: Fix out-of-bounds read in I2C MMIO handlers
  hw/i2c/aspeed_i2c: Increase I2C device register size to 0xA0

 include/hw/i2c/aspeed_i2c.h |  3 +-
 hw/i2c/aspeed_i2c.c         | 58 ++++++++++++++++++-------------------
 2 files changed, 29 insertions(+), 32 deletions(-)

-- 
2.43.0

[PATCH v2 1/2] hw/i2c/aspeed_i2c: Fix out-of-bounds read in I2C MMIO handlers

[Jamin Lin]

The ASPEED I2C controller exposes a per-bus MMIO window of 0x80 bytes on
AST2600/AST1030/AST2700, but the backing regs[] array was sized for only
28 dwords (0x70 bytes). This allows guest reads in the range [0x70..0x7f]
to index past the end of regs[].

Fix this by:
- Sizing ASPEED_I2C_NEW_NUM_REG to match the 0x80-byte window
  (0x80 >> 2 = 32 dwords).
- Avoiding an unconditional pre-read from regs[] in the legacy/new read
  handlers. Initialize the return value to -1 and only read regs[] for
  offsets that are explicitly handled/valid, leaving invalid offsets to
  return -1 with a guest error log.

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3290
---
 include/hw/i2c/aspeed_i2c.h |  3 +--
 hw/i2c/aspeed_i2c.c         | 22 ++++++++++------------
 2 files changed, 11 insertions(+), 14 deletions(-)

diff --git a/include/hw/i2c/aspeed_i2c.h b/include/hw/i2c/aspeed_i2c.h
index 68bd138026..1ba0112cef 100644
--- a/include/hw/i2c/aspeed_i2c.h
+++ b/include/hw/i2c/aspeed_i2c.h
@@ -36,8 +36,7 @@ OBJECT_DECLARE_TYPE(AspeedI2CState, AspeedI2CClass, ASPEED_I2C)
 #define ASPEED_I2C_NR_BUSSES 16
 #define ASPEED_I2C_SHARE_POOL_SIZE 0x800
 #define ASPEED_I2C_BUS_POOL_SIZE 0x20
-#define ASPEED_I2C_OLD_NUM_REG 11
-#define ASPEED_I2C_NEW_NUM_REG 28
+#define ASPEED_I2C_NEW_NUM_REG (0x80 >> 2)
 
 #define A_I2CD_M_STOP_CMD       BIT(5)
 #define A_I2CD_M_RX_CMD         BIT(3)
diff --git a/hw/i2c/aspeed_i2c.c b/hw/i2c/aspeed_i2c.c
index fb3d6a5600..741c7a7297 100644
--- a/hw/i2c/aspeed_i2c.c
+++ b/hw/i2c/aspeed_i2c.c
@@ -94,7 +94,7 @@ static uint64_t aspeed_i2c_bus_old_read(AspeedI2CBus *bus, hwaddr offset,
                                         unsigned size)
 {
     AspeedI2CClass *aic = ASPEED_I2C_GET_CLASS(bus->controller);
-    uint64_t value = bus->regs[offset / sizeof(*bus->regs)];
+    uint64_t value = -1;
 
     switch (offset) {
     case A_I2CD_FUN_CTRL:
@@ -105,7 +105,7 @@ static uint64_t aspeed_i2c_bus_old_read(AspeedI2CBus *bus, hwaddr offset,
     case A_I2CD_DEV_ADDR:
     case A_I2CD_POOL_CTRL:
     case A_I2CD_BYTE_BUF:
-        /* Value is already set, don't do anything. */
+        value = bus->regs[offset / sizeof(*bus->regs)];
         break;
     case A_I2CD_CMD:
         value = SHARED_FIELD_DP32(value, BUS_BUSY_STS, i2c_bus_busy(bus->bus));
@@ -113,21 +113,20 @@ static uint64_t aspeed_i2c_bus_old_read(AspeedI2CBus *bus, hwaddr offset,
     case A_I2CD_DMA_ADDR:
         if (!aic->has_dma) {
             qemu_log_mask(LOG_GUEST_ERROR, "%s: No DMA support\n",  __func__);
-            value = -1;
             break;
         }
+        value = bus->regs[offset / sizeof(*bus->regs)];
         break;
     case A_I2CD_DMA_LEN:
         if (!aic->has_dma) {
             qemu_log_mask(LOG_GUEST_ERROR, "%s: No DMA support\n",  __func__);
-            value = -1;
+            break;
         }
+        value = bus->regs[offset / sizeof(*bus->regs)];
         break;
-
     default:
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: Bad offset 0x%" HWADDR_PRIx "\n", __func__, offset);
-        value = -1;
         break;
     }
 
@@ -139,7 +138,7 @@ static uint64_t aspeed_i2c_bus_new_read(AspeedI2CBus *bus, hwaddr offset,
                                         unsigned size)
 {
     AspeedI2CClass *aic = ASPEED_I2C_GET_CLASS(bus->controller);
-    uint64_t value = bus->regs[offset / sizeof(*bus->regs)];
+    uint64_t value = -1;
 
     switch (offset) {
     case A_I2CC_FUN_CTRL:
@@ -159,13 +158,12 @@ static uint64_t aspeed_i2c_bus_new_read(AspeedI2CBus *bus, hwaddr offset,
     case A_I2CS_CMD:
     case A_I2CS_INTR_CTRL:
     case A_I2CS_DMA_LEN_STS:
-        /* Value is already set, don't do anything. */
+    case A_I2CS_INTR_STS:
+        value = bus->regs[offset / sizeof(*bus->regs)];
         break;
     case A_I2CC_DMA_ADDR:
         value = extract64(bus->dma_dram_offset, 0, 32);
         break;
-    case A_I2CS_INTR_STS:
-        break;
     case A_I2CM_CMD:
         value = SHARED_FIELD_DP32(value, BUS_BUSY_STS, i2c_bus_busy(bus->bus));
         break;
@@ -176,13 +174,13 @@ static uint64_t aspeed_i2c_bus_new_read(AspeedI2CBus *bus, hwaddr offset,
         if (!aic->has_dma64) {
             qemu_log_mask(LOG_GUEST_ERROR, "%s: No DMA 64 bits support\n",
             __func__);
-            value = -1;
+            break;
         }
+        value = bus->regs[offset / sizeof(*bus->regs)];
         break;
     default:
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: Bad offset 0x%" HWADDR_PRIx "\n", __func__, offset);
-        value = -1;
         break;
     }
 
-- 
2.43.0

[PATCH v2 2/2] hw/i2c/aspeed_i2c: Increase I2C device register size to 0xA0

[Jamin Lin]

According to the AST2700 A1 datasheet, the register space for each I2C
device instance has been expanded from 0x80 bytes to 0xA0 bytes.

Update the AST2700 I2C controller configuration to reflect the new
register layout by increasing the per-device register size to 0xA0
and adjusting the register gap size accordingly.

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Fixes: 4f53de2f103d6dfb5ad0498995d91a9694f40dd2 ("hw/arm/aspeed_ast27x0: Remove ast2700-a0 SOC")
---
 include/hw/i2c/aspeed_i2c.h |  2 +-
 hw/i2c/aspeed_i2c.c         | 36 ++++++++++++++++++------------------
 2 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/include/hw/i2c/aspeed_i2c.h b/include/hw/i2c/aspeed_i2c.h
index 1ba0112cef..53a9dba71b 100644
--- a/include/hw/i2c/aspeed_i2c.h
+++ b/include/hw/i2c/aspeed_i2c.h
@@ -36,7 +36,7 @@ OBJECT_DECLARE_TYPE(AspeedI2CState, AspeedI2CClass, ASPEED_I2C)
 #define ASPEED_I2C_NR_BUSSES 16
 #define ASPEED_I2C_SHARE_POOL_SIZE 0x800
 #define ASPEED_I2C_BUS_POOL_SIZE 0x20
-#define ASPEED_I2C_NEW_NUM_REG (0x80 >> 2)
+#define ASPEED_I2C_NEW_NUM_REG (0xa0 >> 2)
 
 #define A_I2CD_M_STOP_CMD       BIT(5)
 #define A_I2CD_M_RX_CMD         BIT(3)
diff --git a/hw/i2c/aspeed_i2c.c b/hw/i2c/aspeed_i2c.c
index 741c7a7297..122bfdd63d 100644
--- a/hw/i2c/aspeed_i2c.c
+++ b/hw/i2c/aspeed_i2c.c
@@ -1205,37 +1205,37 @@ static void aspeed_i2c_instance_init(Object *obj)
  *
  * Address Definitions (AST2700)
  *   0x000 ... 0x0FF: Global Register
- *   0x100 ... 0x17F: Device 0
+ *   0x100 ... 0x19F: Device 0
  *   0x1A0 ... 0x1BF: Device 0 buffer
- *   0x200 ... 0x27F: Device 1
+ *   0x200 ... 0x29F: Device 1
  *   0x2A0 ... 0x2BF: Device 1 buffer
- *   0x300 ... 0x37F: Device 2
+ *   0x300 ... 0x39F: Device 2
  *   0x3A0 ... 0x3BF: Device 2 buffer
- *   0x400 ... 0x47F: Device 3
+ *   0x400 ... 0x49F: Device 3
  *   0x4A0 ... 0x4BF: Device 3 buffer
- *   0x500 ... 0x57F: Device 4
+ *   0x500 ... 0x59F: Device 4
  *   0x5A0 ... 0x5BF: Device 4 buffer
- *   0x600 ... 0x67F: Device 5
+ *   0x600 ... 0x69F: Device 5
  *   0x6A0 ... 0x6BF: Device 5 buffer
- *   0x700 ... 0x77F: Device 6
+ *   0x700 ... 0x79F: Device 6
  *   0x7A0 ... 0x7BF: Device 6 buffer
- *   0x800 ... 0x87F: Device 7
+ *   0x800 ... 0x89F: Device 7
  *   0x8A0 ... 0x8BF: Device 7 buffer
- *   0x900 ... 0x97F: Device 8
+ *   0x900 ... 0x99F: Device 8
  *   0x9A0 ... 0x9BF: Device 8 buffer
- *   0xA00 ... 0xA7F: Device 9
+ *   0xA00 ... 0xA9F: Device 9
  *   0xAA0 ... 0xABF: Device 9 buffer
- *   0xB00 ... 0xB7F: Device 10
+ *   0xB00 ... 0xB9F: Device 10
  *   0xBA0 ... 0xBBF: Device 10 buffer
- *   0xC00 ... 0xC7F: Device 11
+ *   0xC00 ... 0xC9F: Device 11
  *   0xCA0 ... 0xCBF: Device 11 buffer
- *   0xD00 ... 0xD7F: Device 12
+ *   0xD00 ... 0xD9F: Device 12
  *   0xDA0 ... 0xDBF: Device 12 buffer
- *   0xE00 ... 0xE7F: Device 13
+ *   0xE00 ... 0xE9F: Device 13
  *   0xEA0 ... 0xEBF: Device 13 buffer
- *   0xF00 ... 0xF7F: Device 14
+ *   0xF00 ... 0xF9F: Device 14
  *   0xFA0 ... 0xFBF: Device 14 buffer
- *   0x1000 ... 0x107F: Device 15
+ *   0x1000 ... 0x109F: Device 15
  *   0x10A0 ... 0x10BF: Device 15 buffer
  */
 static void aspeed_i2c_realize(DeviceState *dev, Error **errp)
@@ -1658,8 +1658,8 @@ static void aspeed_2700_i2c_class_init(ObjectClass *klass, const void *data)
     dc->desc = "ASPEED 2700 I2C Controller";
 
     aic->num_busses = 16;
-    aic->reg_size = 0x80;
-    aic->reg_gap_size = 0x80;
+    aic->reg_size = 0xa0;
+    aic->reg_gap_size = 0x60;
     aic->gap = -1; /* no gap */
     aic->bus_get_irq = aspeed_2600_i2c_bus_get_irq;
     aic->pool_size = 0x20;
-- 
2.43.0

Re: [PATCH v2 2/2] hw/i2c/aspeed_i2c: Increase I2C device register size to 0xA0

[Cédric Le Goater]

On 2/10/26 03:43, Jamin Lin wrote:
> According to the AST2700 A1 datasheet, the register space for each I2C
> device instance has been expanded from 0x80 bytes to 0xA0 bytes.
> 
> Update the AST2700 I2C controller configuration to reflect the new
> register layout by increasing the per-device register size to 0xA0
> and adjusting the register gap size accordingly.
> 
> Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
> Fixes: 4f53de2f103d6dfb5ad0498995d91a9694f40dd2 ("hw/arm/aspeed_ast27x0: Remove ast2700-a0 SOC")
> ---
>   include/hw/i2c/aspeed_i2c.h |  2 +-
>   hw/i2c/aspeed_i2c.c         | 36 ++++++++++++++++++------------------
>   2 files changed, 19 insertions(+), 19 deletions(-)
> 
> diff --git a/include/hw/i2c/aspeed_i2c.h b/include/hw/i2c/aspeed_i2c.h
> index 1ba0112cef..53a9dba71b 100644
> --- a/include/hw/i2c/aspeed_i2c.h
> +++ b/include/hw/i2c/aspeed_i2c.h
> @@ -36,7 +36,7 @@ OBJECT_DECLARE_TYPE(AspeedI2CState, AspeedI2CClass, ASPEED_I2C)
>   #define ASPEED_I2C_NR_BUSSES 16
>   #define ASPEED_I2C_SHARE_POOL_SIZE 0x800
>   #define ASPEED_I2C_BUS_POOL_SIZE 0x20
> -#define ASPEED_I2C_NEW_NUM_REG (0x80 >> 2)
> +#define ASPEED_I2C_NEW_NUM_REG (0xa0 >> 2)
>   
>   #define A_I2CD_M_STOP_CMD       BIT(5)
>   #define A_I2CD_M_RX_CMD         BIT(3)
> diff --git a/hw/i2c/aspeed_i2c.c b/hw/i2c/aspeed_i2c.c
> index 741c7a7297..122bfdd63d 100644
> --- a/hw/i2c/aspeed_i2c.c
> +++ b/hw/i2c/aspeed_i2c.c
> @@ -1205,37 +1205,37 @@ static void aspeed_i2c_instance_init(Object *obj)
>    *
>    * Address Definitions (AST2700)
>    *   0x000 ... 0x0FF: Global Register
> - *   0x100 ... 0x17F: Device 0
> + *   0x100 ... 0x19F: Device 0
>    *   0x1A0 ... 0x1BF: Device 0 buffer
> - *   0x200 ... 0x27F: Device 1
> + *   0x200 ... 0x29F: Device 1
>    *   0x2A0 ... 0x2BF: Device 1 buffer
> - *   0x300 ... 0x37F: Device 2
> + *   0x300 ... 0x39F: Device 2
>    *   0x3A0 ... 0x3BF: Device 2 buffer
> - *   0x400 ... 0x47F: Device 3
> + *   0x400 ... 0x49F: Device 3
>    *   0x4A0 ... 0x4BF: Device 3 buffer
> - *   0x500 ... 0x57F: Device 4
> + *   0x500 ... 0x59F: Device 4
>    *   0x5A0 ... 0x5BF: Device 4 buffer
> - *   0x600 ... 0x67F: Device 5
> + *   0x600 ... 0x69F: Device 5
>    *   0x6A0 ... 0x6BF: Device 5 buffer
> - *   0x700 ... 0x77F: Device 6
> + *   0x700 ... 0x79F: Device 6
>    *   0x7A0 ... 0x7BF: Device 6 buffer
> - *   0x800 ... 0x87F: Device 7
> + *   0x800 ... 0x89F: Device 7
>    *   0x8A0 ... 0x8BF: Device 7 buffer
> - *   0x900 ... 0x97F: Device 8
> + *   0x900 ... 0x99F: Device 8
>    *   0x9A0 ... 0x9BF: Device 8 buffer
> - *   0xA00 ... 0xA7F: Device 9
> + *   0xA00 ... 0xA9F: Device 9
>    *   0xAA0 ... 0xABF: Device 9 buffer
> - *   0xB00 ... 0xB7F: Device 10
> + *   0xB00 ... 0xB9F: Device 10
>    *   0xBA0 ... 0xBBF: Device 10 buffer
> - *   0xC00 ... 0xC7F: Device 11
> + *   0xC00 ... 0xC9F: Device 11
>    *   0xCA0 ... 0xCBF: Device 11 buffer
> - *   0xD00 ... 0xD7F: Device 12
> + *   0xD00 ... 0xD9F: Device 12
>    *   0xDA0 ... 0xDBF: Device 12 buffer
> - *   0xE00 ... 0xE7F: Device 13
> + *   0xE00 ... 0xE9F: Device 13
>    *   0xEA0 ... 0xEBF: Device 13 buffer
> - *   0xF00 ... 0xF7F: Device 14
> + *   0xF00 ... 0xF9F: Device 14
>    *   0xFA0 ... 0xFBF: Device 14 buffer
> - *   0x1000 ... 0x107F: Device 15
> + *   0x1000 ... 0x109F: Device 15
>    *   0x10A0 ... 0x10BF: Device 15 buffer
>    */
>   static void aspeed_i2c_realize(DeviceState *dev, Error **errp)
> @@ -1658,8 +1658,8 @@ static void aspeed_2700_i2c_class_init(ObjectClass *klass, const void *data)
>       dc->desc = "ASPEED 2700 I2C Controller";
>   
>       aic->num_busses = 16;
> -    aic->reg_size = 0x80;
> -    aic->reg_gap_size = 0x80;
> +    aic->reg_size = 0xa0;
> +    aic->reg_gap_size = 0x60;
>       aic->gap = -1; /* no gap */
>       aic->bus_get_irq = aspeed_2600_i2c_bus_get_irq;
>       aic->pool_size = 0x20;

Reviewed-by: Cédric Le Goater <clg@redhat.com>

Thanks,

C.

Re: [PATCH v2 1/2] hw/i2c/aspeed_i2c: Fix out-of-bounds read in I2C MMIO handlers

[Cédric Le Goater]

On 2/10/26 03:43, Jamin Lin wrote:
> The ASPEED I2C controller exposes a per-bus MMIO window of 0x80 bytes on
> AST2600/AST1030/AST2700, but the backing regs[] array was sized for only
> 28 dwords (0x70 bytes). This allows guest reads in the range [0x70..0x7f]
> to index past the end of regs[].
> 
> Fix this by:
> - Sizing ASPEED_I2C_NEW_NUM_REG to match the 0x80-byte window
>    (0x80 >> 2 = 32 dwords).
> - Avoiding an unconditional pre-read from regs[] in the legacy/new read
>    handlers. Initialize the return value to -1 and only read regs[] for
>    offsets that are explicitly handled/valid, leaving invalid offsets to
>    return -1 with a guest error log.
> 
> Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3290

Reviewed-by: Cédric Le Goater <clg@redhat.com>

Thanks,

C.


> ---
>   include/hw/i2c/aspeed_i2c.h |  3 +--
>   hw/i2c/aspeed_i2c.c         | 22 ++++++++++------------
>   2 files changed, 11 insertions(+), 14 deletions(-)
> 
> diff --git a/include/hw/i2c/aspeed_i2c.h b/include/hw/i2c/aspeed_i2c.h
> index 68bd138026..1ba0112cef 100644
> --- a/include/hw/i2c/aspeed_i2c.h
> +++ b/include/hw/i2c/aspeed_i2c.h
> @@ -36,8 +36,7 @@ OBJECT_DECLARE_TYPE(AspeedI2CState, AspeedI2CClass, ASPEED_I2C)
>   #define ASPEED_I2C_NR_BUSSES 16
>   #define ASPEED_I2C_SHARE_POOL_SIZE 0x800
>   #define ASPEED_I2C_BUS_POOL_SIZE 0x20
> -#define ASPEED_I2C_OLD_NUM_REG 11
> -#define ASPEED_I2C_NEW_NUM_REG 28
> +#define ASPEED_I2C_NEW_NUM_REG (0x80 >> 2)
>   
>   #define A_I2CD_M_STOP_CMD       BIT(5)
>   #define A_I2CD_M_RX_CMD         BIT(3)
> diff --git a/hw/i2c/aspeed_i2c.c b/hw/i2c/aspeed_i2c.c
> index fb3d6a5600..741c7a7297 100644
> --- a/hw/i2c/aspeed_i2c.c
> +++ b/hw/i2c/aspeed_i2c.c
> @@ -94,7 +94,7 @@ static uint64_t aspeed_i2c_bus_old_read(AspeedI2CBus *bus, hwaddr offset,
>                                           unsigned size)
>   {
>       AspeedI2CClass *aic = ASPEED_I2C_GET_CLASS(bus->controller);
> -    uint64_t value = bus->regs[offset / sizeof(*bus->regs)];
> +    uint64_t value = -1;
>   
>       switch (offset) {
>       case A_I2CD_FUN_CTRL:
> @@ -105,7 +105,7 @@ static uint64_t aspeed_i2c_bus_old_read(AspeedI2CBus *bus, hwaddr offset,
>       case A_I2CD_DEV_ADDR:
>       case A_I2CD_POOL_CTRL:
>       case A_I2CD_BYTE_BUF:
> -        /* Value is already set, don't do anything. */
> +        value = bus->regs[offset / sizeof(*bus->regs)];
>           break;
>       case A_I2CD_CMD:
>           value = SHARED_FIELD_DP32(value, BUS_BUSY_STS, i2c_bus_busy(bus->bus));
> @@ -113,21 +113,20 @@ static uint64_t aspeed_i2c_bus_old_read(AspeedI2CBus *bus, hwaddr offset,
>       case A_I2CD_DMA_ADDR:
>           if (!aic->has_dma) {
>               qemu_log_mask(LOG_GUEST_ERROR, "%s: No DMA support\n",  __func__);
> -            value = -1;
>               break;
>           }
> +        value = bus->regs[offset / sizeof(*bus->regs)];
>           break;
>       case A_I2CD_DMA_LEN:
>           if (!aic->has_dma) {
>               qemu_log_mask(LOG_GUEST_ERROR, "%s: No DMA support\n",  __func__);
> -            value = -1;
> +            break;
>           }
> +        value = bus->regs[offset / sizeof(*bus->regs)];
>           break;
> -
>       default:
>           qemu_log_mask(LOG_GUEST_ERROR,
>                         "%s: Bad offset 0x%" HWADDR_PRIx "\n", __func__, offset);
> -        value = -1;
>           break;
>       }
>   
> @@ -139,7 +138,7 @@ static uint64_t aspeed_i2c_bus_new_read(AspeedI2CBus *bus, hwaddr offset,
>                                           unsigned size)
>   {
>       AspeedI2CClass *aic = ASPEED_I2C_GET_CLASS(bus->controller);
> -    uint64_t value = bus->regs[offset / sizeof(*bus->regs)];
> +    uint64_t value = -1;
>   
>       switch (offset) {
>       case A_I2CC_FUN_CTRL:
> @@ -159,13 +158,12 @@ static uint64_t aspeed_i2c_bus_new_read(AspeedI2CBus *bus, hwaddr offset,
>       case A_I2CS_CMD:
>       case A_I2CS_INTR_CTRL:
>       case A_I2CS_DMA_LEN_STS:
> -        /* Value is already set, don't do anything. */
> +    case A_I2CS_INTR_STS:
> +        value = bus->regs[offset / sizeof(*bus->regs)];
>           break;
>       case A_I2CC_DMA_ADDR:
>           value = extract64(bus->dma_dram_offset, 0, 32);
>           break;
> -    case A_I2CS_INTR_STS:
> -        break;
>       case A_I2CM_CMD:
>           value = SHARED_FIELD_DP32(value, BUS_BUSY_STS, i2c_bus_busy(bus->bus));
>           break;
> @@ -176,13 +174,13 @@ static uint64_t aspeed_i2c_bus_new_read(AspeedI2CBus *bus, hwaddr offset,
>           if (!aic->has_dma64) {
>               qemu_log_mask(LOG_GUEST_ERROR, "%s: No DMA 64 bits support\n",
>               __func__);
> -            value = -1;
> +            break;
>           }
> +        value = bus->regs[offset / sizeof(*bus->regs)];
>           break;
>       default:
>           qemu_log_mask(LOG_GUEST_ERROR,
>                         "%s: Bad offset 0x%" HWADDR_PRIx "\n", __func__, offset);
> -        value = -1;
>           break;
>       }
>   

Re: [PATCH v2 0/2] hw/i2c/aspeed_i2c: Fix out-of-bounds read in I2C MMIO

[Cédric Le Goater]

On 2/10/26 03:43, Jamin Lin wrote:
> v1:
>   1. Fix Out-of-Bounds access by using dynamic register array
> 
> v2:
>   1. Fix Out-of-Bounds access by increasing static array size
>   2. Increase I2C device register size to 0xA0 for AST2700 A1
> 
> Jamin Lin (2):
>    hw/i2c/aspeed_i2c: Fix out-of-bounds read in I2C MMIO handlers
>    hw/i2c/aspeed_i2c: Increase I2C device register size to 0xA0
> 
>   include/hw/i2c/aspeed_i2c.h |  3 +-
>   hw/i2c/aspeed_i2c.c         | 58 ++++++++++++++++++-------------------
>   2 files changed, 29 insertions(+), 32 deletions(-)
> 

Applied to aspeed-next.

Thanks,

C.

Re: [PATCH v2 0/2] hw/i2c/aspeed_i2c: Fix out-of-bounds read in I2C MMIO

[Michael Tokarev]

On 2/10/26 05:43, Jamin Lin wrote:
> v1:
>   1. Fix Out-of-Bounds access by using dynamic register array
> 
> v2:
>   1. Fix Out-of-Bounds access by increasing static array size
>   2. Increase I2C device register size to 0xA0 for AST2700 A1
> 
> Jamin Lin (2):
>    hw/i2c/aspeed_i2c: Fix out-of-bounds read in I2C MMIO handlers
>    hw/i2c/aspeed_i2c: Increase I2C device register size to 0xA0
> 
>   include/hw/i2c/aspeed_i2c.h |  3 +-
>   hw/i2c/aspeed_i2c.c         | 58 ++++++++++++++++++-------------------
>   2 files changed, 29 insertions(+), 32 deletions(-)

I'm picking this up for current qemu-stable releases.
Please let me know if I shoudln't.

Thanks,

/mjt