From nobody Wed Apr 9 20:39:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=linaro.org ARC-Seal: i=1; a=rsa-sha256; t=1606131869; cv=none; d=zohomail.com; s=zohoarc; b=nq0yOVU9G3+vpSejnqWsI1cew2HX3rsPfNn5o953C+GSy6sqHQvakDhZQYEHZkXLo7M2BfjDZ50F9qaxkZErPsE+K4VNA9P4qCd2ZIUAGijcvLa+hpL96kyMbrbRcM4Bfn6mKLEVOPW7fBWdBue6YMWGGHSEvDEbMoHRnD9ryfU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1606131869; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=W8OZiwXErPaHZrssg3fNa1FJR5CnKtlyLA6VpRcXeRs=; b=i3Yee4cWMdB3x/WLXl4QqJeQ+1FDCTnLdL8qa2GntteMueqZs23nqBme8IGkuPw7JvXio7PlzDOOBEhcHol+teLGUYc55zNtqGPqfNsXIoI7c/Z96HgU5FR4uwo2C9D4Jl4L/pD8py3it03mx5ZZrXWN3gl5ifVRwMExMbEV468= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1606131869823585.5856494238378; Mon, 23 Nov 2020 03:44:29 -0800 (PST) Received: from localhost ([::1]:47378 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1khAGi-0005xh-BT for importer@patchew.org; Mon, 23 Nov 2020 06:44:28 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:55514) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1khAFg-0004Bx-5n for qemu-devel@nongnu.org; Mon, 23 Nov 2020 06:43:24 -0500 Received: from mail-wr1-x443.google.com ([2a00:1450:4864:20::443]:46202) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1khAFe-0002fQ-DQ for qemu-devel@nongnu.org; Mon, 23 Nov 2020 06:43:23 -0500 Received: by mail-wr1-x443.google.com with SMTP id g14so3068408wrm.13 for ; Mon, 23 Nov 2020 03:43:22 -0800 (PST) Received: from orth.archaic.org.uk (orth.archaic.org.uk. [81.2.115.148]) by smtp.gmail.com with ESMTPSA id g186sm50836495wma.1.2020.11.23.03.43.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Nov 2020 03:43:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=W8OZiwXErPaHZrssg3fNa1FJR5CnKtlyLA6VpRcXeRs=; b=iKK0Vc3nMTFq0Rfw24hofZ2+eOduvn8UBOvNGDSjayAfw7WUIJ1U+FVNbhkN/RS8BI tQ+tMnq/H3IP9eJCW8Bz5Gfkn7JWv5IVWB1G5wHmW6b6qZGDUR7YjxpisU26YZXpQwma di41O7QQqqS4Q8527OGgivaFyf/WAHjg2BTwly3758XwQ7Kk0s9FZwItK7x5DO/GPT7v +4160DhsJHUY0eIN4Qd0HxsR8G1nOXtxp4AVzLe5erX67xi/1m2E6RoW+BtiF3IWsEQY Hq3kH92YYU9sOKTxaEVZXo8+srdxtzUooFbZ+Ck0aYI3DVbw1MV0Zex+M//nG8ZiU6ol zM6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=W8OZiwXErPaHZrssg3fNa1FJR5CnKtlyLA6VpRcXeRs=; b=P+LvK1Y50KPPhxSMC2q44H5y1x3UdCxhCC48QFpR1THUIvPVXwN2TrLlxQNqdQB0Gc hgFthZ+KW7k/L+oPZ4SdQRo3XkPrZ/EEGRQjwkMR1cOrJu1zDbUNjjlagiNALKTNJkB4 4UNBSNeA5fos6N0FwMYRGGs/9EVUDQHY11Te7q/pVPt7yS+9VDo749jd0Bvy7DYoo8tS 4XeKuMlo3l50LhSM4t/+xT7o+OqC2iJty/WtOGM5ATlXEedY0iRrBE58l0XuJG3hYZHf USxaYFUxbLKnEr+PJZ+H67odRGi0FDo2tZ3f6ITtGP1cMyI1fXognBevvk0UR5IlnnSv NbTg== X-Gm-Message-State: AOAM533gtt8sDASXS5eP4zwEgjyFkrr6SzkOGp6r++vCX674p6lKPtL7 BZMHx1vVfogY8TNCfMdHY02n+xdB+0YcFw== X-Google-Smtp-Source: ABdhPJz2DNFNlH//2i/k+B78o1gOXmejB/BIPU84Q2hev3viZXrMn8j4sLqNWx0FXm4vnXIOp9WnmA== X-Received: by 2002:adf:fe0f:: with SMTP id n15mr31936153wrr.357.1606131800835; Mon, 23 Nov 2020 03:43:20 -0800 (PST) From: Peter Maydell To: qemu-devel@nongnu.org Subject: [PULL 03/24] hw/intc: fix heap-buffer-overflow in rxicu_realize() Date: Mon, 23 Nov 2020 11:42:54 +0000 Message-Id: <20201123114315.13372-4-peter.maydell@linaro.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20201123114315.13372-1-peter.maydell@linaro.org> References: <20201123114315.13372-1-peter.maydell@linaro.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::443; envelope-from=peter.maydell@linaro.org; helo=mail-wr1-x443.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @linaro.org) From: Chen Qun When 'j =3D icu->nr_sense =E2=80=93 1', the 'j < icu->nr_sense' condition i= s true, then 'j =3D icu->nr_sense', the'icu->init_sense[j]' has out-of-bounds acces= s. The asan showed stack: ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000004d7d at = pc 0x55852cd26a76 bp 0x7ffe39f26200 sp 0x7ffe39f261f0 READ of size 1 at 0x604000004d7d thread T0 #0 0x55852cd26a75 in rxicu_realize ../hw/intc/rx_icu.c:311 #1 0x55852cf075f7 in device_set_realized ../hw/core/qdev.c:886 #2 0x55852cd4a32f in property_set_bool ../qom/object.c:2251 #3 0x55852cd4f9bb in object_property_set ../qom/object.c:1398 #4 0x55852cd54f3f in object_property_set_qobject ../qom/qom-qobject.c:28 #5 0x55852cd4fc3f in object_property_set_bool ../qom/object.c:1465 #6 0x55852cbf0b27 in register_icu ../hw/rx/rx62n.c:156 #7 0x55852cbf12a6 in rx62n_realize ../hw/rx/rx62n.c:261 #8 0x55852cf075f7 in device_set_realized ../hw/core/qdev.c:886 #9 0x55852cd4a32f in property_set_bool ../qom/object.c:2251 #10 0x55852cd4f9bb in object_property_set ../qom/object.c:1398 #11 0x55852cd54f3f in object_property_set_qobject ../qom/qom-qobject.c:= 28 #12 0x55852cd4fc3f in object_property_set_bool ../qom/object.c:1465 #13 0x55852cbf1a85 in rx_gdbsim_init ../hw/rx/rx-gdbsim.c:109 #14 0x55852cd22de0 in qemu_init ../softmmu/vl.c:4380 #15 0x55852ca57088 in main ../softmmu/main.c:49 #16 0x7feefafa5d42 in __libc_start_main (/lib64/libc.so.6+0x26d42) Add the 'ice->src[i].sense' initialize to the default value, and then process init_sense array to identify which irqs should be level-triggered. Suggested-by: Peter Maydell Reported-by: Euler Robot Signed-off-by: Chen Qun Reviewed-by: Peter Maydell Message-id: 20201111141733.2358800-1-kuhn.chenqun@huawei.com Signed-off-by: Peter Maydell --- hw/intc/rx_icu.c | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/hw/intc/rx_icu.c b/hw/intc/rx_icu.c index 94e17a9deac..e5c01807b9a 100644 --- a/hw/intc/rx_icu.c +++ b/hw/intc/rx_icu.c @@ -300,22 +300,20 @@ static const MemoryRegionOps icu_ops =3D { static void rxicu_realize(DeviceState *dev, Error **errp) { RXICUState *icu =3D RX_ICU(dev); - int i, j; + int i; =20 if (icu->init_sense =3D=3D NULL) { qemu_log_mask(LOG_GUEST_ERROR, "rx_icu: trigger-level property must be set."); return; } - for (i =3D j =3D 0; i < NR_IRQS; i++) { - if (icu->init_sense[j] =3D=3D i) { - icu->src[i].sense =3D TRG_LEVEL; - if (j < icu->nr_sense) { - j++; - } - } else { - icu->src[i].sense =3D TRG_PEDGE; - } + + for (i =3D 0; i < NR_IRQS; i++) { + icu->src[i].sense =3D TRG_PEDGE; + } + for (i =3D 0; i < icu->nr_sense; i++) { + uint8_t irqno =3D icu->init_sense[i]; + icu->src[irqno].sense =3D TRG_LEVEL; } icu->req_irq =3D -1; } --=20 2.20.1