diff mbox

display: check irq handler index before access

Message ID 20171211105546.16466-1-ppandit@redhat.com (mailing list archive)
State New, archived
Headers show

Commit Message

Prasad Pandit Dec. 11, 2017, 10:55 a.m. UTC 
From: Prasad J Pandit <pjp@fedoraproject.org>

The ctz32() routine could return value greater than
TC6393XB_GPIOS=16. This could lead to an OOB array access.
Add check to avoid it.

Reported-by: Moguofang <moguofang@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/display/tc6393xb.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Peter Maydell Dec. 11, 2017, 11:11 a.m. UTC | #1 
On 11 December 2017 at 10:55, P J P <ppandit@redhat.com> wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> The ctz32() routine could return value greater than
> TC6393XB_GPIOS=16. This could lead to an OOB array access.
> Add check to avoid it.
>
> Reported-by: Moguofang <moguofang@huawei.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
>  hw/display/tc6393xb.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/hw/display/tc6393xb.c b/hw/display/tc6393xb.c
> index 74d10af3d4..78292cb847 100644
> --- a/hw/display/tc6393xb.c
> +++ b/hw/display/tc6393xb.c
> @@ -175,6 +175,10 @@ static void tc6393xb_gpio_handler_update(TC6393xbState *s)
>
>      for (diff = s->prev_level ^ level; diff; diff ^= 1 << bit) {
>          bit = ctz32(diff);
> +        if (bit >= TC6393XB_GPIOS) {
> +            fprintf(stderr, "TC6393xb: no GPIO pin %d\n", bit);
> +            return;
> +        }
>          qemu_set_irq(s->handler[bit], (level >> bit) & 1);
>      }

It would be more sensible to just mask off the top bits of
'level' before starting the loop, rather than checking every
time around the loop:
   level &= MAKE_64BIT_MASK(0, TC6493XB_GPIOS);

Also, if we want to warn about the guest having set a GPIO
bit we don't implement this isn't the best place to do it --
it would make more sense to do that only if the guest writes
something non-zero to SCR_GPO_DSR(2), and as an LOG_UNIMP warning.
But I don't think it's worth the effort since this is only used
on the ancient 'tosa' board.

thanks
-- PMM
Prasad Pandit Dec. 12, 2017, 4:42 a.m. UTC | #2 
+-- On Mon, 11 Dec 2017, Peter Maydell wrote --+
| It would be more sensible to just mask off the top bits of
| 'level' before starting the loop, rather than checking every
| time around the loop:
|    level &= MAKE_64BIT_MASK(0, TC6493XB_GPIOS);

Sent a revised patch v1. Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
diff mbox

Patch

diff --git a/hw/display/tc6393xb.c b/hw/display/tc6393xb.c
index 74d10af3d4..78292cb847 100644
--- a/hw/display/tc6393xb.c
+++ b/hw/display/tc6393xb.c
@@ -175,6 +175,10 @@  static void tc6393xb_gpio_handler_update(TC6393xbState *s)
 
     for (diff = s->prev_level ^ level; diff; diff ^= 1 << bit) {
         bit = ctz32(diff);
+        if (bit >= TC6393XB_GPIOS) {
+            fprintf(stderr, "TC6393xb: no GPIO pin %d\n", bit);
+            return;
+        }
         qemu_set_irq(s->handler[bit], (level >> bit) & 1);
     }