From patchwork Thu Jan 5 12:57:12 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Qiang Liu X-Patchwork-Id: 13089801 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 2C032C3DA7A for ; Thu, 5 Jan 2023 12:58:31 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pDPoh-0008CA-Ko; Thu, 05 Jan 2023 07:57:55 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pDPod-0008B0-CU; Thu, 05 Jan 2023 07:57:51 -0500 Received: from [125.120.148.222] (helo=liuqiang-OptiPlex-7060) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pDPo7-00055E-Oz; Thu, 05 Jan 2023 07:57:51 -0500 Received: from localhost (liuqiang-OptiPlex-7060 [local]) by liuqiang-OptiPlex-7060 (OpenSMTPD) with ESMTPA id 85a66881; Thu, 5 Jan 2023 12:57:16 +0000 (UTC) From: Qiang Liu To: qemu-devel@nongnu.org Cc: Qiang Liu , Alistair Francis , "Edgar E. Iglesias" , Peter Maydell , qemu-arm@nongnu.org (open list:Xilinx ZynqMP and...) Subject: [PATCH] hw/display/xlnx_dp: fix overflow in xlnx_dp_aux_push_rx_fifo() Date: Thu, 5 Jan 2023 20:57:12 +0800 Message-Id: <20230105125713.450275-1-cyruscyliu@gmail.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Host-Lookup-Failed: Reverse DNS lookup failed for 125.120.148.222 (failed) Received-SPF: softfail client-ip=125.120.148.222; envelope-from=cyruscyliu@gmail.com; helo=liuqiang-OptiPlex-7060 X-Spam_score_int: 48 X-Spam_score: 4.8 X-Spam_bar: ++++ X-Spam_report: (4.8 / 5.0 requ) BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1, FREEMAIL_FROM=0.001, FSL_HELO_NON_FQDN_1=0.001, HELO_NO_DOMAIN=0.001, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_PBL=3.335, RDNS_NONE=0.793, SPF_SOFTFAIL=0.665, SPOOFED_FREEMAIL=0.001, SPOOFED_FREEMAIL_NO_RDNS=0.001, SPOOF_GMAIL_MID=0.001, UNPARSEABLE_RELAY=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Check s->rx_fifo before pushing data into it. Fixes: 58ac482a66de ("introduce xlnx-dp") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1419 Reported-by: Qiang Liu Signed-off-by: Qiang Liu --- hw/display/xlnx_dp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c index 322e2faadd..972473d94f 100644 --- a/hw/display/xlnx_dp.c +++ b/hw/display/xlnx_dp.c @@ -508,6 +508,10 @@ static void xlnx_dp_aux_set_command(XlnxDPState *s, uint32_t value) case READ_AUX: case READ_I2C: case READ_I2C_MOT: + if (nbytes > fifo8_num_free(&s->rx_fifo)) { + qemu_log_mask(LOG_GUEST_ERROR, "xlnx_dp: RX length > available fifo data length"); + nbytes = fifo8_num_free(&s->rx_fifo); + } s->core_registers[DP_AUX_REPLY_CODE] = aux_request(s->aux_bus, cmd, xlnx_dp_aux_get_address(s), nbytes, buf);