From nobody Sat May 30 19:26:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=proton.me ARC-Seal: i=1; a=rsa-sha256; t=1777034167; cv=none; d=zohomail.com; s=zohoarc; b=XYdHUINAEMoBBAehYo1WPfdgg07ackYR+SwbhKRGAhJrlzRC4+AoOZuAvQMJhwXZtR0GDwLsTLKPYCEn8F/fN0eCMaDx6+IZrQhgEDjPLRBp0MpoSQCW0ADyinvIu7JmBSudmKZdZICkd71mPovYksJ7mJR7n5FgsfsxAx13Gx8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1777034167; h=Content-Type:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=SIpA694rwzz6Yz/M+wlJIvaNne2KH1iqD83jCKgDYY0=; b=Smg+6rW7zPlIK6UHiCDgUfY16sjn8JX1y4H0JXhruouWZF7zOlh0EYZ+yL8CjniwM3bAep5eyKVHfWhKrCcZNF1zhnDP5eGLcorkoue2udJUJI5Iq3M23n16Kl04xcBoq8xGO3/ZfbRO7oDKKEyMJDP1PDEUfjUxZe1MhM4Jay0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1777034167918775.8443835881184; Fri, 24 Apr 2026 05:36:07 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wGFkk-0007Su-MD; Fri, 24 Apr 2026 08:35:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wGEaS-0006YT-IB for qemu-devel@nongnu.org; Fri, 24 Apr 2026 07:20:45 -0400 Received: from mail-07.mail-europe.com ([188.165.51.139]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wGEaQ-0001YS-4p for qemu-devel@nongnu.org; Fri, 24 Apr 2026 07:20:44 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me; s=protonmail; t=1777029636; x=1777288836; bh=SIpA694rwzz6Yz/M+wlJIvaNne2KH1iqD83jCKgDYY0=; h=Date:To:From:Cc:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=BUG56Ye+osrYRZnOTixIUIhqaGhSfcCHjmNxE5VfJSnANgYCjTA8+Us0UlgS1Rf0d cMJbYBveCrJbCtDHZsJ5kqPI+hZMF5cAhnvWF855X1WP7flE044kWp8a9lUuAF7uFx LKzRfQ5glSgF87IraQ6m6l7QfR9+HhcdA4DTArAELtyaHv0zzB/vn9B87r4CKYmWtb N1WSlhTAp5r5ObW7sRGvUyNukC/WbBOygJQ7DDc7x3ST8uY916c9osDOJjFjuKMI4d Q0Fx1AxTc9jKGObDGzOSmj4DrAiUkXD2QOpzgSq9sGx04hpCg/q4cwB4Kseg3zEz5r +NjTQtfazhSdA== Date: Fri, 24 Apr 2026 11:20:31 +0000 To: "qemu-devel@nongnu.org" From: Feifan Qian Cc: Gerd Hoffmann Subject: [PATCH] hw/usb/xhci: clamp interval exponent to avoid UB shift in xhci_init_epctx() Message-ID: Feedback-ID: 93226294:user:proton X-Pm-Message-ID: b66a7b5a7e470fa34e7bf06b40d546c5348374bc MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1=_sITyaj82KjrwlasRJ1P974jPUXjdLdpiu4uQTTW4fo" Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=188.165.51.139; envelope-from=bea1e@proton.me; helo=mail-07.mail-europe.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Fri, 24 Apr 2026 08:34:46 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @proton.me) X-ZM-MESSAGEID: 1777034170110158500 --b1=_sITyaj82KjrwlasRJ1P974jPUXjdLdpiu4uQTTW4fo Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The xHCI endpoint context dword 0 bits 23:16 ("Interval") are written by the guest and passed directly as the shift amount in: epctx->interval =3D 1 << ((ctx[0] >> 16) & 0xff); The shift amount can be 0-255. Shifting a 32-bit `int` left by >=3D 32 is undefined behaviour under C11 =C2=A76.5.7p4. With UBSan (halt_on_error=3D1) this causes QEMU to abort; with aggressive compiler optimisations that assume UB is unreachable the result is unpredictable. Clamp the exponent to [0, 31] with MIN() before the shift, and use `1u` (unsigned) to avoid shifting a signed integer. The xHCI specification defines a maximum meaningful Interval value of 15 for most endpoint types; clamping to 31 is the minimal safe fix that preserves the full unsigned 32-bit range for any compliant value. Reported-by: Feifan Qian Signed-off-by: Feifan Qian --- hw/usb/hcd-xhci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index 0000000000..0000000001 100644 --- a/hw/usb/hcd-xhci.c +++ b/hw/usb/hcd-xhci.c @@ -1119,8 +1119,8 @@ static void xhci_init_epctx(XHCIEPContext *epctx, xhci_ring_init(epctx->xhci, &epctx->ring, dequeue); epctx->ring.ccs =3D ctx[2] & 1; } - epctx->interval =3D 1 << ((ctx[0] >> 16) & 0xff); + epctx->interval =3D 1u << MIN((ctx[0] >> 16) & 0xffu, 31u); } static TRBCCode xhci_enable_ep(XHCIState *xhci, unsigned int slotid, -- 2.43.0 --b1=_sITyaj82KjrwlasRJ1P974jPUXjdLdpiu4uQTTW4fo Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: base64 PGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6IEFyaWFsLCBzYW5zLXNlcmlmOyBmb250LXNpemU6IDE0 cHg7Ij48L2Rpdj48c3Bhbj48L3NwYW4+PHNwYW4+VGhlIHhIQ0kgZW5kcG9pbnQgY29udGV4dCBk d29yZCAwIGJpdHMgMjM6MTYgKCJJbnRlcnZhbCIpIGFyZSB3cml0dGVuPC9zcGFuPjxkaXY+PHNw YW4+YnkgdGhlIGd1ZXN0IGFuZCBwYXNzZWQgZGlyZWN0bHkgYXMgdGhlIHNoaWZ0IGFtb3VudCBp bjo8L3NwYW4+PC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj48c3Bhbj4mbmJzcDsgJm5ic3A7IGVw Y3R4LSZndDtpbnRlcnZhbCA9IDEgJmx0OyZsdDsgKChjdHhbMF0gJmd0OyZndDsgMTYpICZhbXA7 IDB4ZmYpOzwvc3Bhbj48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PjxzcGFuPlRoZSBzaGlmdCBh bW91bnQgY2FuIGJlIDAtMjU1LiAmbmJzcDtTaGlmdGluZyBhIDMyLWJpdCBgaW50YCBsZWZ0IGJ5 ICZndDs9IDMyPC9zcGFuPjwvZGl2PjxkaXY+PHNwYW4+aXMgdW5kZWZpbmVkIGJlaGF2aW91ciB1 bmRlciBDMTEgwqc2LjUuN3A0LiAmbmJzcDtXaXRoIFVCU2FuPC9zcGFuPjwvZGl2PjxkaXY+PHNw YW4+KGhhbHRfb25fZXJyb3I9MSkgdGhpcyBjYXVzZXMgUUVNVSB0byBhYm9ydDsgd2l0aCBhZ2dy ZXNzaXZlIGNvbXBpbGVyPC9zcGFuPjwvZGl2PjxkaXY+PHNwYW4+b3B0aW1pc2F0aW9ucyB0aGF0 IGFzc3VtZSBVQiBpcyB1bnJlYWNoYWJsZSB0aGUgcmVzdWx0IGlzPC9zcGFuPjwvZGl2PjxkaXY+ PHNwYW4+dW5wcmVkaWN0YWJsZS48L3NwYW4+PC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj48c3Bh bj5DbGFtcCB0aGUgZXhwb25lbnQgdG8gWzAsIDMxXSB3aXRoIE1JTigpIGJlZm9yZSB0aGUgc2hp ZnQsIGFuZCB1c2U8L3NwYW4+PC9kaXY+PGRpdj48c3Bhbj5gMXVgICh1bnNpZ25lZCkgdG8gYXZv aWQgc2hpZnRpbmcgYSBzaWduZWQgaW50ZWdlci4gJm5ic3A7VGhlIHhIQ0k8L3NwYW4+PC9kaXY+ PGRpdj48c3Bhbj5zcGVjaWZpY2F0aW9uIGRlZmluZXMgYSBtYXhpbXVtIG1lYW5pbmdmdWwgSW50 ZXJ2YWwgdmFsdWUgb2YgMTUgZm9yPC9zcGFuPjwvZGl2PjxkaXY+PHNwYW4+bW9zdCBlbmRwb2lu dCB0eXBlczsgY2xhbXBpbmcgdG8gMzEgaXMgdGhlIG1pbmltYWwgc2FmZSBmaXggdGhhdDwvc3Bh bj48L2Rpdj48ZGl2PjxzcGFuPnByZXNlcnZlcyB0aGUgZnVsbCB1bnNpZ25lZCAzMi1iaXQgcmFu Z2UgZm9yIGFueSBjb21wbGlhbnQgdmFsdWUuPC9zcGFuPjwvZGl2PjxkaXY+PGJyPjwvZGl2Pjxk aXY+PHNwYW4+UmVwb3J0ZWQtYnk6IEZlaWZhbiBRaWFuICZsdDs8YSB0YXJnZXQ9Il9ibGFuayIg cmVsPSJub3JlZmVycmVyIG5vZm9sbG93IG5vb3BlbmVyIiBocmVmPSJtYWlsdG86YmVhMWVAcHJv dG9uLm1lIj5iZWExZUBwcm90b24ubWU8L2E+Jmd0Ozwvc3Bhbj48L2Rpdj48ZGl2PjxzcGFuPlNp Z25lZC1vZmYtYnk6IEZlaWZhbiBRaWFuICZsdDs8YSB0YXJnZXQ9Il9ibGFuayIgcmVsPSJub3Jl ZmVycmVyIG5vZm9sbG93IG5vb3BlbmVyIiBocmVmPSJtYWlsdG86YmVhMWVAcHJvdG9uLm1lIj5i ZWExZUBwcm90b24ubWU8L2E+Jmd0Ozwvc3Bhbj48L2Rpdj48ZGl2PjxzcGFuPi0tLTwvc3Bhbj48 L2Rpdj48ZGl2PjxzcGFuPmh3L3VzYi9oY2QteGhjaS5jIHwgMiArLTwvc3Bhbj48L2Rpdj48ZGl2 PjxzcGFuPjEgZmlsZSBjaGFuZ2VkLCAxIGluc2VydGlvbigrKSwgMSBkZWxldGlvbigtKTwvc3Bh bj48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PjxzcGFuPmRpZmYgLS1naXQgYS9ody91c2IvaGNk LXhoY2kuYyBiL2h3L3VzYi9oY2QteGhjaS5jPC9zcGFuPjwvZGl2PjxkaXY+PHNwYW4+aW5kZXgg MDAwMDAwMDAwMC4uMDAwMDAwMDAwMSAxMDA2NDQ8L3NwYW4+PC9kaXY+PGRpdj48c3Bhbj4tLS0g YS9ody91c2IvaGNkLXhoY2kuYzwvc3Bhbj48L2Rpdj48ZGl2PjxzcGFuPisrKyBiL2h3L3VzYi9o Y2QteGhjaS5jPC9zcGFuPjwvZGl2PjxkaXY+PHNwYW4+QEAgLTExMTksOCArMTExOSw4IEBAIHN0 YXRpYyB2b2lkIHhoY2lfaW5pdF9lcGN0eChYSENJRVBDb250ZXh0ICplcGN0eCw8L3NwYW4+PC9k aXY+PGRpdj48c3Bhbj4mbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgeGhjaV9yaW5nX2luaXQo ZXBjdHgtJmd0O3hoY2ksICZhbXA7ZXBjdHgtJmd0O3JpbmcsIGRlcXVldWUpOzwvc3Bhbj48L2Rp dj48ZGl2PjxzcGFuPiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBlcGN0eC0mZ3Q7cmluZy5j Y3MgPSBjdHhbMl0gJmFtcDsgMTs8L3NwYW4+PC9kaXY+PGRpdj48c3Bhbj4mbmJzcDsgJm5ic3A7 IH08L3NwYW4+PC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj48c3Bhbj4tICZuYnNwOyAmbmJzcDtl cGN0eC0mZ3Q7aW50ZXJ2YWwgPSAxICZsdDsmbHQ7ICgoY3R4WzBdICZndDsmZ3Q7IDE2KSAmYW1w OyAweGZmKTs8L3NwYW4+PC9kaXY+PGRpdj48c3Bhbj4rICZuYnNwOyAmbmJzcDtlcGN0eC0mZ3Q7 aW50ZXJ2YWwgPSAxdSAmbHQ7Jmx0OyBNSU4oKGN0eFswXSAmZ3Q7Jmd0OyAxNikgJmFtcDsgMHhm ZnUsIDMxdSk7PC9zcGFuPjwvZGl2PjxkaXY+PHNwYW4+fTwvc3Bhbj48L2Rpdj48ZGl2Pjxicj48 L2Rpdj48ZGl2PjxzcGFuPnN0YXRpYyBUUkJDQ29kZSB4aGNpX2VuYWJsZV9lcChYSENJU3RhdGUg KnhoY2ksIHVuc2lnbmVkIGludCBzbG90aWQsPC9zcGFuPjwvZGl2PjxkaXY+PHNwYW4+LS08L3Nw YW4+PC9kaXY+PGRpdj48c3Bhbj4yLjQzLjA8L3NwYW4+PC9kaXY+PHNwYW4+PC9zcGFuPjxkaXYg c3R5bGU9ImZvbnQtZmFtaWx5OiBBcmlhbCwgc2Fucy1zZXJpZjsgZm9udC1zaXplOiAxNHB4OyI+ PGJyPjwvZGl2PjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OiBBcmlhbCwgc2Fucy1zZXJpZjsgZm9u dC1zaXplOiAxNHB4OyIgY2xhc3M9InByb3Rvbm1haWxfc2lnbmF0dXJlX2Jsb2NrIj4NCjwvZGl2 Pg0K --b1=_sITyaj82KjrwlasRJ1P974jPUXjdLdpiu4uQTTW4fo--