hw/char/cadence_uart.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
The cadence UART attempts to avoid allowing the guset to set invalid
baud rate register values in the uart_write() function. However it
does the "mask to the size of the register field" and "check for
invalid values" in the wrong order, which means that a malicious
guest can get a bogus value into the register by setting also some
high bits in the value, and cause QEMU to crash by division-by-zero.
Do the mask before the bounds check instead of afterwards.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/char/cadence_uart.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c
index c069a30842e..807e3985419 100644
--- a/hw/char/cadence_uart.c
+++ b/hw/char/cadence_uart.c
@@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, hwaddr offset,
}
break;
case R_BRGR: /* Baud rate generator */
+ value &= 0xffff;
if (value >= 0x01) {
- s->r[offset] = value & 0xFFFF;
+ s->r[offset] = value;
}
break;
case R_BDIV: /* Baud rate divider */
+ value &= 0xff;
if (value >= 0x04) {
- s->r[offset] = value & 0xFF;
+ s->r[offset] = value;
}
break;
default:
--
2.34.1
On 3/14/23 6:08 PM, Peter Maydell wrote: > The cadence UART attempts to avoid allowing the guset to set invalid > baud rate register values in the uart_write() function. However it > does the "mask to the size of the register field" and "check for > invalid values" in the wrong order, which means that a malicious > guest can get a bogus value into the register by setting also some > high bits in the value, and cause QEMU to crash by division-by-zero. > > Do the mask before the bounds check instead of afterwards. > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493 > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> > --- > hw/char/cadence_uart.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c > index c069a30842e..807e3985419 100644 > --- a/hw/char/cadence_uart.c > +++ b/hw/char/cadence_uart.c > @@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, hwaddr offset, > } > break; > case R_BRGR: /* Baud rate generator */ > + value &= 0xffff; > if (value >= 0x01) { > - s->r[offset] = value & 0xFFFF; > + s->r[offset] = value; > } > break; > case R_BDIV: /* Baud rate divider */ > + value &= 0xff; > if (value >= 0x04) { > - s->r[offset] = value & 0xFF; > + s->r[offset] = value; > } > break; > default: Tested on my side. Tested-by: Qiang Liu <cyruscyliu@gmail.com>
On 14/3/23 18:08, Peter Maydell wrote: > The cadence UART attempts to avoid allowing the guset to set invalid > baud rate register values in the uart_write() function. However it > does the "mask to the size of the register field" and "check for > invalid values" in the wrong order, which means that a malicious > guest can get a bogus value into the register by setting also some > high bits in the value, and cause QEMU to crash by division-by-zero. > > Do the mask before the bounds check instead of afterwards. > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493 > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> > --- > hw/char/cadence_uart.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
On Wed, Mar 15, 2023 at 3:09 AM Peter Maydell <peter.maydell@linaro.org> wrote: > > The cadence UART attempts to avoid allowing the guset to set invalid > baud rate register values in the uart_write() function. However it > does the "mask to the size of the register field" and "check for > invalid values" in the wrong order, which means that a malicious > guest can get a bogus value into the register by setting also some > high bits in the value, and cause QEMU to crash by division-by-zero. > > Do the mask before the bounds check instead of afterwards. > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493 > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Alistair > --- > hw/char/cadence_uart.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c > index c069a30842e..807e3985419 100644 > --- a/hw/char/cadence_uart.c > +++ b/hw/char/cadence_uart.c > @@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, hwaddr offset, > } > break; > case R_BRGR: /* Baud rate generator */ > + value &= 0xffff; > if (value >= 0x01) { > - s->r[offset] = value & 0xFFFF; > + s->r[offset] = value; > } > break; > case R_BDIV: /* Baud rate divider */ > + value &= 0xff; > if (value >= 0x04) { > - s->r[offset] = value & 0xFF; > + s->r[offset] = value; > } > break; > default: > -- > 2.34.1 > >
On Tue, 2023-03-14 at 17:08 +0000, Peter Maydell wrote: > The cadence UART attempts to avoid allowing the guset to set invalid > baud rate register values in the uart_write() function. However it > does the "mask to the size of the register field" and "check for > invalid values" in the wrong order, which means that a malicious > guest can get a bogus value into the register by setting also some > high bits in the value, and cause QEMU to crash by division-by-zero. > > Do the mask before the bounds check instead of afterwards. > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493 > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> > --- > hw/char/cadence_uart.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) Reviewed-by: Wilfred Mallawa <wilfred.mallawa@wdc.com> > > diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c > index c069a30842e..807e3985419 100644 > --- a/hw/char/cadence_uart.c > +++ b/hw/char/cadence_uart.c > @@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, > hwaddr offset, > } > break; > case R_BRGR: /* Baud rate generator */ > + value &= 0xffff; > if (value >= 0x01) { > - s->r[offset] = value & 0xFFFF; > + s->r[offset] = value; > } > break; > case R_BDIV: /* Baud rate divider */ > + value &= 0xff; > if (value >= 0x04) { > - s->r[offset] = value & 0xFF; > + s->r[offset] = value; > } > break; > default:
On Tue, Mar 14, 2023 at 6:08 PM Peter Maydell <peter.maydell@linaro.org> wrote: > The cadence UART attempts to avoid allowing the guset to set invalid > baud rate register values in the uart_write() function. However it > does the "mask to the size of the register field" and "check for > invalid values" in the wrong order, which means that a malicious > guest can get a bogus value into the register by setting also some > high bits in the value, and cause QEMU to crash by division-by-zero. > > Do the mask before the bounds check instead of afterwards. > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493 > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> > Reviewed-by: Edgar E. Iglesias <edgar@zeroasic.com> > --- > hw/char/cadence_uart.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c > index c069a30842e..807e3985419 100644 > --- a/hw/char/cadence_uart.c > +++ b/hw/char/cadence_uart.c > @@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, hwaddr > offset, > } > break; > case R_BRGR: /* Baud rate generator */ > + value &= 0xffff; > if (value >= 0x01) { > - s->r[offset] = value & 0xFFFF; > + s->r[offset] = value; > } > break; > case R_BDIV: /* Baud rate divider */ > + value &= 0xff; > if (value >= 0x04) { > - s->r[offset] = value & 0xFF; > + s->r[offset] = value; > } > break; > default: > -- > 2.34.1 > >
On 14/03/2023 18.08, Peter Maydell wrote: > The cadence UART attempts to avoid allowing the guset to set invalid > baud rate register values in the uart_write() function. However it > does the "mask to the size of the register field" and "check for > invalid values" in the wrong order, which means that a malicious > guest can get a bogus value into the register by setting also some > high bits in the value, and cause QEMU to crash by division-by-zero. > > Do the mask before the bounds check instead of afterwards. > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493 > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> > --- > hw/char/cadence_uart.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c > index c069a30842e..807e3985419 100644 > --- a/hw/char/cadence_uart.c > +++ b/hw/char/cadence_uart.c > @@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, hwaddr offset, > } > break; > case R_BRGR: /* Baud rate generator */ > + value &= 0xffff; > if (value >= 0x01) { > - s->r[offset] = value & 0xFFFF; > + s->r[offset] = value; > } > break; > case R_BDIV: /* Baud rate divider */ > + value &= 0xff; > if (value >= 0x04) { > - s->r[offset] = value & 0xFF; > + s->r[offset] = value; > } > break; > default: Reviewed-by: Thomas Huth <thuth@redhat.com>
© 2016 - 2024 Red Hat, Inc.