[v1] hw/display: refine upper limit for offset value in assert check

[PATCH] hw/display: refine upper limit for offset value in assert check

gerben@altlinux.org posted 1 patch 3 months, 3 weeks ago

Diff against v1 v2 v3
Download mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20250722111917.19584-1-gerben@altlinux.org

Maintainers: Alistair Francis <alistair@alistair23.me>, "Edgar E. Iglesias" <edgar.iglesias@gmail.com>, Peter Maydell <peter.maydell@linaro.org>

hw/display/xlnx_dp.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

Expand all Fold all

[PATCH] hw/display: refine upper limit for offset value in assert check

Posted by gerben@altlinux.org 3 months, 3 weeks ago

From: Denis Rastyogin <gerben@altlinux.org>

Accessing s->core_registers (size 236) could overflow
if the offset goes beyond the valid range.

Since the memory region matches core_registers size exactly,
guest cannot write out-of-bounds.

Therefore, the debug assert has been refined to ensure the offset
remains within DP_CORE_REG_ARRAY_SIZE, preventing internal errors.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Reported-by: David Meliksetyan <d.meliksetyan@fobos-nt.ru>
Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
---
 hw/display/xlnx_dp.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
index 7c980ee642..b35ee2f869 100644
--- a/hw/display/xlnx_dp.c
+++ b/hw/display/xlnx_dp.c
@@ -896,7 +896,11 @@ static void xlnx_dp_write(void *opaque, hwaddr offset, uint64_t value,
         xlnx_dp_update_irq(s);
         break;
     default:
-        assert(offset <= (0x504C >> 2));
+        /*
+         * Check to ensure the offset is within the bounds of
+         * the core_registers[] array.
+         */
+        assert(offset < DP_CORE_REG_ARRAY_SIZE);
         s->core_registers[offset] = value;
         break;
     }
-- 
2.42.2