Google Git
Sign in
qemu / qemu / 0c88f93788d33795a4c14a0ca999607a6546f8b8
commit0c88f93788d33795a4c14a0ca999607a6546f8b8[log] [tgz]
authorPeter Maydell <peter.maydell@linaro.org>Tue Mar 14 17:08:04 2023 +0000
committerPeter Maydell <peter.maydell@linaro.org>Tue Mar 21 11:54:39 2023 +0000
tree59cc43088c23acbe8dbf743112fe71077c67148b
parent0b903369951cac12ccdfc66a7520b413eca1bb62 [diff]
hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings

The cadence UART attempts to avoid allowing the guest to set invalid
baud rate register values in the uart_write() function.  However it
does the "mask to the size of the register field" and "check for
invalid values" in the wrong order, which means that a malicious
guest can get a bogus value into the register by setting also some
high bits in the value, and cause QEMU to crash by division-by-zero.

Do the mask before the bounds check instead of afterwards.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Edgar E. Iglesias <edgar@zeroasic.com>
Reviewed-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Qiang Liu <cyruscyliu@gmail.com>
Message-id: 20230314170804.1196232-1-peter.maydell@linaro.org
1 file changed
tree: 59cc43088c23acbe8dbf743112fe71077c67148b
  1. .github/
  2. .gitlab/
  3. .gitlab-ci.d/
  4. accel/
  5. audio/
  6. authz/
  7. backends/
  8. block/
  9. bsd-user/
  10. chardev/
  11. common-user/
  12. configs/
  13. contrib/
  14. crypto/
  15. disas/
  16. docs/
  17. dump/
  18. ebpf/
  19. fpu/
  20. fsdev/
  21. gdb-xml/
  22. gdbstub/
  23. hw/
  24. include/
  25. io/
  26. libdecnumber/
  27. linux-headers/
  28. linux-user/
  29. migration/
  30. monitor/
  31. nbd/
  32. net/
  33. pc-bios/
  34. plugins/
  35. po/
  36. python/
  37. qapi/
  38. qga/
  39. qobject/
  40. qom/
  41. replay/
  42. roms/
  43. scripts/
  44. scsi/
  45. semihosting/
  46. softmmu/
  47. stats/
  48. storage-daemon/
  49. stubs/
  50. subprojects/
  51. target/
  52. tcg/
  53. tests/
  54. tools/
  55. trace/
  56. ui/
  57. util/
  58. dtc
  59. meson
  60. .cirrus.yml
  61. .dir-locals.el
  62. .editorconfig
  63. .exrc
  64. .gdbinit
  65. .gitattributes
  66. .gitignore
  67. .gitlab-ci.yml
  68. .gitmodules
  69. .gitpublish
  70. .mailmap
  71. .patchew.yml
  72. .readthedocs.yml
  73. .travis.yml
  74. block.c
  75. blockdev-nbd.c
  76. blockdev.c
  77. blockjob.c
  78. configure
  79. COPYING
  80. COPYING.LIB
  81. cpu.c
  82. cpus-common.c
  83. disas.c
  84. event-loop-base.c
  85. gitdm.config
  86. hmp-commands-info.hx
  87. hmp-commands.hx
  88. iothread.c
  89. job-qmp.c
  90. job.c
  91. Kconfig
  92. Kconfig.host
  93. LICENSE
  94. MAINTAINERS
  95. Makefile
  96. memory_ldst.c.inc
  97. meson.build
  98. meson_options.txt
  99. module-common.c
  100. os-posix.c
  101. os-win32.c
  102. page-vary-common.c
  103. page-vary.c
  104. qemu-bridge-helper.c
  105. qemu-edid.c
  106. qemu-img-cmds.hx
  107. qemu-img.c
  108. qemu-io-cmds.c
  109. qemu-io.c
  110. qemu-keymap.c
  111. qemu-nbd.c
  112. qemu-options.hx
  113. qemu.nsi
  114. qemu.sasl
  115. README.rst
  116. replication.c
  117. trace-events
  118. VERSION
  119. version.rc