1. Patchew
  2. QEMU
  3. View series

[PATCH for-8.0] hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings

Peter Maydell posted 1 patch 1 year, 1 month ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20230314170804.1196232-1-peter.maydell@linaro.org
Maintainers: "Edgar E. Iglesias" <edgar.iglesias@gmail.com>, Alistair Francis <alistair@alistair23.me>, Peter Maydell <peter.maydell@linaro.org>, "Marc-André Lureau" <marcandre.lureau@redhat.com>, Paolo Bonzini <pbonzini@redhat.com>
hw/char/cadence_uart.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
[PATCH for-8.0] hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings
Posted by Peter Maydell 1 year, 1 month ago 
The cadence UART attempts to avoid allowing the guset to set invalid
baud rate register values in the uart_write() function.  However it
does the "mask to the size of the register field" and "check for
invalid values" in the wrong order, which means that a malicious
guest can get a bogus value into the register by setting also some
high bits in the value, and cause QEMU to crash by division-by-zero.

Do the mask before the bounds check instead of afterwards.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/char/cadence_uart.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c
index c069a30842e..807e3985419 100644
--- a/hw/char/cadence_uart.c
+++ b/hw/char/cadence_uart.c
@@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, hwaddr offset,
         }
         break;
     case R_BRGR: /* Baud rate generator */
+        value &= 0xffff;
         if (value >= 0x01) {
-            s->r[offset] = value & 0xFFFF;
+            s->r[offset] = value;
         }
         break;
     case R_BDIV:    /* Baud rate divider */
+        value &= 0xff;
         if (value >= 0x04) {
-            s->r[offset] = value & 0xFF;
+            s->r[offset] = value;
         }
         break;
     default:
-- 
2.34.1
Re: [PATCH for-8.0] hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings
Posted by Qiang Liu 1 year, 1 month ago 
On 3/14/23 6:08 PM, Peter Maydell wrote:
> The cadence UART attempts to avoid allowing the guset to set invalid
> baud rate register values in the uart_write() function.  However it
> does the "mask to the size of the register field" and "check for
> invalid values" in the wrong order, which means that a malicious
> guest can get a bogus value into the register by setting also some
> high bits in the value, and cause QEMU to crash by division-by-zero.
>
> Do the mask before the bounds check instead of afterwards.
>
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
>   hw/char/cadence_uart.c | 6 ++++--
>   1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c
> index c069a30842e..807e3985419 100644
> --- a/hw/char/cadence_uart.c
> +++ b/hw/char/cadence_uart.c
> @@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, hwaddr offset,
>           }
>           break;
>       case R_BRGR: /* Baud rate generator */
> +        value &= 0xffff;
>           if (value >= 0x01) {
> -            s->r[offset] = value & 0xFFFF;
> +            s->r[offset] = value;
>           }
>           break;
>       case R_BDIV:    /* Baud rate divider */
> +        value &= 0xff;
>           if (value >= 0x04) {
> -            s->r[offset] = value & 0xFF;
> +            s->r[offset] = value;
>           }
>           break;
>       default:

Tested on my side.

Tested-by: Qiang Liu <cyruscyliu@gmail.com>
Re: [PATCH for-8.0] hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings
Posted by Philippe Mathieu-Daudé 1 year, 1 month ago 
On 14/3/23 18:08, Peter Maydell wrote:
> The cadence UART attempts to avoid allowing the guset to set invalid
> baud rate register values in the uart_write() function.  However it
> does the "mask to the size of the register field" and "check for
> invalid values" in the wrong order, which means that a malicious
> guest can get a bogus value into the register by setting also some
> high bits in the value, and cause QEMU to crash by division-by-zero.
> 
> Do the mask before the bounds check instead of afterwards.
> 
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
>   hw/char/cadence_uart.c | 6 ++++--
>   1 file changed, 4 insertions(+), 2 deletions(-)

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Re: [PATCH for-8.0] hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings
Posted by Alistair Francis 1 year, 1 month ago 
On Wed, Mar 15, 2023 at 3:09 AM Peter Maydell <peter.maydell@linaro.org> wrote:
>
> The cadence UART attempts to avoid allowing the guset to set invalid
> baud rate register values in the uart_write() function.  However it
> does the "mask to the size of the register field" and "check for
> invalid values" in the wrong order, which means that a malicious
> guest can get a bogus value into the register by setting also some
> high bits in the value, and cause QEMU to crash by division-by-zero.
>
> Do the mask before the bounds check instead of afterwards.
>
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Reviewed-by: Alistair Francis <alistair.francis@wdc.com>

Alistair

> ---
>  hw/char/cadence_uart.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c
> index c069a30842e..807e3985419 100644
> --- a/hw/char/cadence_uart.c
> +++ b/hw/char/cadence_uart.c
> @@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, hwaddr offset,
>          }
>          break;
>      case R_BRGR: /* Baud rate generator */
> +        value &= 0xffff;
>          if (value >= 0x01) {
> -            s->r[offset] = value & 0xFFFF;
> +            s->r[offset] = value;
>          }
>          break;
>      case R_BDIV:    /* Baud rate divider */
> +        value &= 0xff;
>          if (value >= 0x04) {
> -            s->r[offset] = value & 0xFF;
> +            s->r[offset] = value;
>          }
>          break;
>      default:
> --
> 2.34.1
>
>
Re: [PATCH for-8.0] hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings
Posted by Wilfred Mallawa 1 year, 1 month ago 
On Tue, 2023-03-14 at 17:08 +0000, Peter Maydell wrote:
> The cadence UART attempts to avoid allowing the guset to set invalid
> baud rate register values in the uart_write() function.  However it
> does the "mask to the size of the register field" and "check for
> invalid values" in the wrong order, which means that a malicious
> guest can get a bogus value into the register by setting also some
> high bits in the value, and cause QEMU to crash by division-by-zero.
> 
> Do the mask before the bounds check instead of afterwards.
> 
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
>  hw/char/cadence_uart.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
Reviewed-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
> 
> diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c
> index c069a30842e..807e3985419 100644
> --- a/hw/char/cadence_uart.c
> +++ b/hw/char/cadence_uart.c
> @@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque,
> hwaddr offset,
>          }
>          break;
>      case R_BRGR: /* Baud rate generator */
> +        value &= 0xffff;
>          if (value >= 0x01) {
> -            s->r[offset] = value & 0xFFFF;
> +            s->r[offset] = value;
>          }
>          break;
>      case R_BDIV:    /* Baud rate divider */
> +        value &= 0xff;
>          if (value >= 0x04) {
> -            s->r[offset] = value & 0xFF;
> +            s->r[offset] = value;
>          }
>          break;
>      default:
Re: [PATCH for-8.0] hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings
Posted by Edgar E. Iglesias 1 year, 1 month ago 
On Tue, Mar 14, 2023 at 6:08 PM Peter Maydell <peter.maydell@linaro.org>
wrote:

> The cadence UART attempts to avoid allowing the guset to set invalid
> baud rate register values in the uart_write() function.  However it
> does the "mask to the size of the register field" and "check for
> invalid values" in the wrong order, which means that a malicious
> guest can get a bogus value into the register by setting also some
> high bits in the value, and cause QEMU to crash by division-by-zero.
>
> Do the mask before the bounds check instead of afterwards.
>
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
>

Reviewed-by: Edgar E. Iglesias <edgar@zeroasic.com>



> ---
>  hw/char/cadence_uart.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c
> index c069a30842e..807e3985419 100644
> --- a/hw/char/cadence_uart.c
> +++ b/hw/char/cadence_uart.c
> @@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, hwaddr
> offset,
>          }
>          break;
>      case R_BRGR: /* Baud rate generator */
> +        value &= 0xffff;
>          if (value >= 0x01) {
> -            s->r[offset] = value & 0xFFFF;
> +            s->r[offset] = value;
>          }
>          break;
>      case R_BDIV:    /* Baud rate divider */
> +        value &= 0xff;
>          if (value >= 0x04) {
> -            s->r[offset] = value & 0xFF;
> +            s->r[offset] = value;
>          }
>          break;
>      default:
> --
> 2.34.1
>
>
Re: [PATCH for-8.0] hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings
Posted by Thomas Huth 1 year, 1 month ago 
On 14/03/2023 18.08, Peter Maydell wrote:
> The cadence UART attempts to avoid allowing the guset to set invalid
> baud rate register values in the uart_write() function.  However it
> does the "mask to the size of the register field" and "check for
> invalid values" in the wrong order, which means that a malicious
> guest can get a bogus value into the register by setting also some
> high bits in the value, and cause QEMU to crash by division-by-zero.
> 
> Do the mask before the bounds check instead of afterwards.
> 
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
>   hw/char/cadence_uart.c | 6 ++++--
>   1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c
> index c069a30842e..807e3985419 100644
> --- a/hw/char/cadence_uart.c
> +++ b/hw/char/cadence_uart.c
> @@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, hwaddr offset,
>           }
>           break;
>       case R_BRGR: /* Baud rate generator */
> +        value &= 0xffff;
>           if (value >= 0x01) {
> -            s->r[offset] = value & 0xFFFF;
> +            s->r[offset] = value;
>           }
>           break;
>       case R_BDIV:    /* Baud rate divider */
> +        value &= 0xff;
>           if (value >= 0x04) {
> -            s->r[offset] = value & 0xFF;
> +            s->r[offset] = value;
>           }
>           break;
>       default:

Reviewed-by: Thomas Huth <thuth@redhat.com>

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.