From: Peter Maydell Date: Tue, 14 Mar 2023 17:08:04 +0000 (+0000) Subject: hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings X-Git-Tag: pull-xen-20230323~3^2~6 X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=0c88f93788d33795a4c14a0ca999607a6546f8b8;p=people%2Faperard%2Fqemu-dm.git hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings The cadence UART attempts to avoid allowing the guest to set invalid baud rate register values in the uart_write() function. However it does the "mask to the size of the register field" and "check for invalid values" in the wrong order, which means that a malicious guest can get a bogus value into the register by setting also some high bits in the value, and cause QEMU to crash by division-by-zero. Do the mask before the bounds check instead of afterwards. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493 Signed-off-by: Peter Maydell Reviewed-by: Thomas Huth Reviewed-by: Edgar E. Iglesias Reviewed-by: Wilfred Mallawa Reviewed-by: Alistair Francis Reviewed-by: Philippe Mathieu-Daudé Tested-by: Qiang Liu Message-id: 20230314170804.1196232-1-peter.maydell@linaro.org --- diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c index c069a30842..807e398541 100644 --- a/hw/char/cadence_uart.c +++ b/hw/char/cadence_uart.c @@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, hwaddr offset, } break; case R_BRGR: /* Baud rate generator */ + value &= 0xffff; if (value >= 0x01) { - s->r[offset] = value & 0xFFFF; + s->r[offset] = value; } break; case R_BDIV: /* Baud rate divider */ + value &= 0xff; if (value >= 0x04) { - s->r[offset] = value & 0xFF; + s->r[offset] = value; } break; default: