* [PATCH for-8.0] hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings
@ 2023-03-14 17:08 Peter Maydell
2023-03-14 17:44 ` Thomas Huth
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: Peter Maydell @ 2023-03-14 17:08 UTC (permalink / raw)
To: qemu-arm, qemu-devel; +Cc: Edgar E. Iglesias, Alistair Francis
The cadence UART attempts to avoid allowing the guset to set invalid
baud rate register values in the uart_write() function. However it
does the "mask to the size of the register field" and "check for
invalid values" in the wrong order, which means that a malicious
guest can get a bogus value into the register by setting also some
high bits in the value, and cause QEMU to crash by division-by-zero.
Do the mask before the bounds check instead of afterwards.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/char/cadence_uart.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c
index c069a30842e..807e3985419 100644
--- a/hw/char/cadence_uart.c
+++ b/hw/char/cadence_uart.c
@@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, hwaddr offset,
}
break;
case R_BRGR: /* Baud rate generator */
+ value &= 0xffff;
if (value >= 0x01) {
- s->r[offset] = value & 0xFFFF;
+ s->r[offset] = value;
}
break;
case R_BDIV: /* Baud rate divider */
+ value &= 0xff;
if (value >= 0x04) {
- s->r[offset] = value & 0xFF;
+ s->r[offset] = value;
}
break;
default:
--
2.34.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH for-8.0] hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings
2023-03-14 17:08 [PATCH for-8.0] hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings Peter Maydell
@ 2023-03-14 17:44 ` Thomas Huth
2023-03-14 18:50 ` Edgar E. Iglesias
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Thomas Huth @ 2023-03-14 17:44 UTC (permalink / raw)
To: Peter Maydell, qemu-arm, qemu-devel; +Cc: Edgar E. Iglesias, Alistair Francis
On 14/03/2023 18.08, Peter Maydell wrote:
> The cadence UART attempts to avoid allowing the guset to set invalid
> baud rate register values in the uart_write() function. However it
> does the "mask to the size of the register field" and "check for
> invalid values" in the wrong order, which means that a malicious
> guest can get a bogus value into the register by setting also some
> high bits in the value, and cause QEMU to crash by division-by-zero.
>
> Do the mask before the bounds check instead of afterwards.
>
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
> hw/char/cadence_uart.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c
> index c069a30842e..807e3985419 100644
> --- a/hw/char/cadence_uart.c
> +++ b/hw/char/cadence_uart.c
> @@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, hwaddr offset,
> }
> break;
> case R_BRGR: /* Baud rate generator */
> + value &= 0xffff;
> if (value >= 0x01) {
> - s->r[offset] = value & 0xFFFF;
> + s->r[offset] = value;
> }
> break;
> case R_BDIV: /* Baud rate divider */
> + value &= 0xff;
> if (value >= 0x04) {
> - s->r[offset] = value & 0xFF;
> + s->r[offset] = value;
> }
> break;
> default:
Reviewed-by: Thomas Huth <thuth@redhat.com>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH for-8.0] hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings
2023-03-14 17:08 [PATCH for-8.0] hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings Peter Maydell
2023-03-14 17:44 ` Thomas Huth
@ 2023-03-14 18:50 ` Edgar E. Iglesias
2023-03-14 23:35 ` Wilfred Mallawa
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Edgar E. Iglesias @ 2023-03-14 18:50 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel, Alistair Francis
[-- Attachment #1: Type: text/plain, Size: 1641 bytes --]
On Tue, Mar 14, 2023 at 6:08 PM Peter Maydell <peter.maydell@linaro.org>
wrote:
> The cadence UART attempts to avoid allowing the guset to set invalid
> baud rate register values in the uart_write() function. However it
> does the "mask to the size of the register field" and "check for
> invalid values" in the wrong order, which means that a malicious
> guest can get a bogus value into the register by setting also some
> high bits in the value, and cause QEMU to crash by division-by-zero.
>
> Do the mask before the bounds check instead of afterwards.
>
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
>
Reviewed-by: Edgar E. Iglesias <edgar@zeroasic.com>
> ---
> hw/char/cadence_uart.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c
> index c069a30842e..807e3985419 100644
> --- a/hw/char/cadence_uart.c
> +++ b/hw/char/cadence_uart.c
> @@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, hwaddr
> offset,
> }
> break;
> case R_BRGR: /* Baud rate generator */
> + value &= 0xffff;
> if (value >= 0x01) {
> - s->r[offset] = value & 0xFFFF;
> + s->r[offset] = value;
> }
> break;
> case R_BDIV: /* Baud rate divider */
> + value &= 0xff;
> if (value >= 0x04) {
> - s->r[offset] = value & 0xFF;
> + s->r[offset] = value;
> }
> break;
> default:
> --
> 2.34.1
>
>
[-- Attachment #2: Type: text/html, Size: 2511 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH for-8.0] hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings
2023-03-14 17:08 [PATCH for-8.0] hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings Peter Maydell
2023-03-14 17:44 ` Thomas Huth
2023-03-14 18:50 ` Edgar E. Iglesias
@ 2023-03-14 23:35 ` Wilfred Mallawa
2023-03-15 0:04 ` Alistair Francis
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Wilfred Mallawa @ 2023-03-14 23:35 UTC (permalink / raw)
To: peter.maydell@linaro.org, qemu-arm@nongnu.org,
qemu-devel@nongnu.org
Cc: alistair@alistair23.me, edgar.iglesias@gmail.com
On Tue, 2023-03-14 at 17:08 +0000, Peter Maydell wrote:
> The cadence UART attempts to avoid allowing the guset to set invalid
> baud rate register values in the uart_write() function. However it
> does the "mask to the size of the register field" and "check for
> invalid values" in the wrong order, which means that a malicious
> guest can get a bogus value into the register by setting also some
> high bits in the value, and cause QEMU to crash by division-by-zero.
>
> Do the mask before the bounds check instead of afterwards.
>
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
> hw/char/cadence_uart.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
Reviewed-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
>
> diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c
> index c069a30842e..807e3985419 100644
> --- a/hw/char/cadence_uart.c
> +++ b/hw/char/cadence_uart.c
> @@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque,
> hwaddr offset,
> }
> break;
> case R_BRGR: /* Baud rate generator */
> + value &= 0xffff;
> if (value >= 0x01) {
> - s->r[offset] = value & 0xFFFF;
> + s->r[offset] = value;
> }
> break;
> case R_BDIV: /* Baud rate divider */
> + value &= 0xff;
> if (value >= 0x04) {
> - s->r[offset] = value & 0xFF;
> + s->r[offset] = value;
> }
> break;
> default:
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH for-8.0] hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings
2023-03-14 17:08 [PATCH for-8.0] hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings Peter Maydell
` (2 preceding siblings ...)
2023-03-14 23:35 ` Wilfred Mallawa
@ 2023-03-15 0:04 ` Alistair Francis
2023-03-15 8:47 ` Philippe Mathieu-Daudé
2023-03-15 9:27 ` Qiang Liu
5 siblings, 0 replies; 7+ messages in thread
From: Alistair Francis @ 2023-03-15 0:04 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-arm, qemu-devel, Edgar E. Iglesias, Alistair Francis
On Wed, Mar 15, 2023 at 3:09 AM Peter Maydell <peter.maydell@linaro.org> wrote:
>
> The cadence UART attempts to avoid allowing the guset to set invalid
> baud rate register values in the uart_write() function. However it
> does the "mask to the size of the register field" and "check for
> invalid values" in the wrong order, which means that a malicious
> guest can get a bogus value into the register by setting also some
> high bits in the value, and cause QEMU to crash by division-by-zero.
>
> Do the mask before the bounds check instead of afterwards.
>
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Alistair
> ---
> hw/char/cadence_uart.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c
> index c069a30842e..807e3985419 100644
> --- a/hw/char/cadence_uart.c
> +++ b/hw/char/cadence_uart.c
> @@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, hwaddr offset,
> }
> break;
> case R_BRGR: /* Baud rate generator */
> + value &= 0xffff;
> if (value >= 0x01) {
> - s->r[offset] = value & 0xFFFF;
> + s->r[offset] = value;
> }
> break;
> case R_BDIV: /* Baud rate divider */
> + value &= 0xff;
> if (value >= 0x04) {
> - s->r[offset] = value & 0xFF;
> + s->r[offset] = value;
> }
> break;
> default:
> --
> 2.34.1
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH for-8.0] hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings
2023-03-14 17:08 [PATCH for-8.0] hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings Peter Maydell
` (3 preceding siblings ...)
2023-03-15 0:04 ` Alistair Francis
@ 2023-03-15 8:47 ` Philippe Mathieu-Daudé
2023-03-15 9:27 ` Qiang Liu
5 siblings, 0 replies; 7+ messages in thread
From: Philippe Mathieu-Daudé @ 2023-03-15 8:47 UTC (permalink / raw)
To: Peter Maydell, qemu-arm, qemu-devel; +Cc: Edgar E. Iglesias, Alistair Francis
On 14/3/23 18:08, Peter Maydell wrote:
> The cadence UART attempts to avoid allowing the guset to set invalid
> baud rate register values in the uart_write() function. However it
> does the "mask to the size of the register field" and "check for
> invalid values" in the wrong order, which means that a malicious
> guest can get a bogus value into the register by setting also some
> high bits in the value, and cause QEMU to crash by division-by-zero.
>
> Do the mask before the bounds check instead of afterwards.
>
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
> hw/char/cadence_uart.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH for-8.0] hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings
2023-03-14 17:08 [PATCH for-8.0] hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings Peter Maydell
` (4 preceding siblings ...)
2023-03-15 8:47 ` Philippe Mathieu-Daudé
@ 2023-03-15 9:27 ` Qiang Liu
5 siblings, 0 replies; 7+ messages in thread
From: Qiang Liu @ 2023-03-15 9:27 UTC (permalink / raw)
To: Peter Maydell, qemu-arm, qemu-devel
Cc: Edgar E. Iglesias, Alistair Francis, cyruscyliu
On 3/14/23 6:08 PM, Peter Maydell wrote:
> The cadence UART attempts to avoid allowing the guset to set invalid
> baud rate register values in the uart_write() function. However it
> does the "mask to the size of the register field" and "check for
> invalid values" in the wrong order, which means that a malicious
> guest can get a bogus value into the register by setting also some
> high bits in the value, and cause QEMU to crash by division-by-zero.
>
> Do the mask before the bounds check instead of afterwards.
>
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
> hw/char/cadence_uart.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c
> index c069a30842e..807e3985419 100644
> --- a/hw/char/cadence_uart.c
> +++ b/hw/char/cadence_uart.c
> @@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, hwaddr offset,
> }
> break;
> case R_BRGR: /* Baud rate generator */
> + value &= 0xffff;
> if (value >= 0x01) {
> - s->r[offset] = value & 0xFFFF;
> + s->r[offset] = value;
> }
> break;
> case R_BDIV: /* Baud rate divider */
> + value &= 0xff;
> if (value >= 0x04) {
> - s->r[offset] = value & 0xFF;
> + s->r[offset] = value;
> }
> break;
> default:
Tested on my side.
Tested-by: Qiang Liu <cyruscyliu@gmail.com>
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2023-03-15 9:28 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-03-14 17:08 [PATCH for-8.0] hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings Peter Maydell
2023-03-14 17:44 ` Thomas Huth
2023-03-14 18:50 ` Edgar E. Iglesias
2023-03-14 23:35 ` Wilfred Mallawa
2023-03-15 0:04 ` Alistair Francis
2023-03-15 8:47 ` Philippe Mathieu-Daudé
2023-03-15 9:27 ` Qiang Liu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).