From 0c88f93788d33795a4c14a0ca999607a6546f8b8 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Tue, 14 Mar 2023 17:08:04 +0000 Subject: [PATCH] hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The cadence UART attempts to avoid allowing the guest to set invalid baud rate register values in the uart_write() function. However it does the "mask to the size of the register field" and "check for invalid values" in the wrong order, which means that a malicious guest can get a bogus value into the register by setting also some high bits in the value, and cause QEMU to crash by division-by-zero. Do the mask before the bounds check instead of afterwards. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493 Signed-off-by: Peter Maydell Reviewed-by: Thomas Huth Reviewed-by: Edgar E. Iglesias Reviewed-by: Wilfred Mallawa Reviewed-by: Alistair Francis Reviewed-by: Philippe Mathieu-Daudé Tested-by: Qiang Liu Message-id: 20230314170804.1196232-1-peter.maydell@linaro.org --- hw/char/cadence_uart.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c index c069a30842..807e398541 100644 --- a/hw/char/cadence_uart.c +++ b/hw/char/cadence_uart.c @@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, hwaddr offset, } break; case R_BRGR: /* Baud rate generator */ + value &= 0xffff; if (value >= 0x01) { - s->r[offset] = value & 0xFFFF; + s->r[offset] = value; } break; case R_BDIV: /* Baud rate divider */ + value &= 0xff; if (value >= 0x04) { - s->r[offset] = value & 0xFF; + s->r[offset] = value; } break; default: -- 2.39.5