| Message ID | 20230314170804.1196232-1-peter.maydell@linaro.org |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [for-8.0] hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings | expand |
On 14/03/2023 18.08, Peter Maydell wrote: > The cadence UART attempts to avoid allowing the guset to set invalid > baud rate register values in the uart_write() function. However it > does the "mask to the size of the register field" and "check for > invalid values" in the wrong order, which means that a malicious > guest can get a bogus value into the register by setting also some > high bits in the value, and cause QEMU to crash by division-by-zero. > > Do the mask before the bounds check instead of afterwards. > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493 > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> > --- > hw/char/cadence_uart.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c > index c069a30842e..807e3985419 100644 > --- a/hw/char/cadence_uart.c > +++ b/hw/char/cadence_uart.c > @@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, hwaddr offset, > } > break; > case R_BRGR: /* Baud rate generator */ > + value &= 0xffff; > if (value >= 0x01) { > - s->r[offset] = value & 0xFFFF; > + s->r[offset] = value; > } > break; > case R_BDIV: /* Baud rate divider */ > + value &= 0xff; > if (value >= 0x04) { > - s->r[offset] = value & 0xFF; > + s->r[offset] = value; > } > break; > default: Reviewed-by: Thomas Huth <thuth@redhat.com>
On Tue, Mar 14, 2023 at 6:08 PM Peter Maydell <peter.maydell@linaro.org> wrote: > The cadence UART attempts to avoid allowing the guset to set invalid > baud rate register values in the uart_write() function. However it > does the "mask to the size of the register field" and "check for > invalid values" in the wrong order, which means that a malicious > guest can get a bogus value into the register by setting also some > high bits in the value, and cause QEMU to crash by division-by-zero. > > Do the mask before the bounds check instead of afterwards. > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493 > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> > Reviewed-by: Edgar E. Iglesias <edgar@zeroasic.com> > --- > hw/char/cadence_uart.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c > index c069a30842e..807e3985419 100644 > --- a/hw/char/cadence_uart.c > +++ b/hw/char/cadence_uart.c > @@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, hwaddr > offset, > } > break; > case R_BRGR: /* Baud rate generator */ > + value &= 0xffff; > if (value >= 0x01) { > - s->r[offset] = value & 0xFFFF; > + s->r[offset] = value; > } > break; > case R_BDIV: /* Baud rate divider */ > + value &= 0xff; > if (value >= 0x04) { > - s->r[offset] = value & 0xFF; > + s->r[offset] = value; > } > break; > default: > -- > 2.34.1 > >
On Tue, 2023-03-14 at 17:08 +0000, Peter Maydell wrote: > The cadence UART attempts to avoid allowing the guset to set invalid > baud rate register values in the uart_write() function. However it > does the "mask to the size of the register field" and "check for > invalid values" in the wrong order, which means that a malicious > guest can get a bogus value into the register by setting also some > high bits in the value, and cause QEMU to crash by division-by-zero. > > Do the mask before the bounds check instead of afterwards. > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493 > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> > --- > hw/char/cadence_uart.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) Reviewed-by: Wilfred Mallawa <wilfred.mallawa@wdc.com> > > diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c > index c069a30842e..807e3985419 100644 > --- a/hw/char/cadence_uart.c > +++ b/hw/char/cadence_uart.c > @@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, > hwaddr offset, > } > break; > case R_BRGR: /* Baud rate generator */ > + value &= 0xffff; > if (value >= 0x01) { > - s->r[offset] = value & 0xFFFF; > + s->r[offset] = value; > } > break; > case R_BDIV: /* Baud rate divider */ > + value &= 0xff; > if (value >= 0x04) { > - s->r[offset] = value & 0xFF; > + s->r[offset] = value; > } > break; > default:
On Wed, Mar 15, 2023 at 3:09 AM Peter Maydell <peter.maydell@linaro.org> wrote: > > The cadence UART attempts to avoid allowing the guset to set invalid > baud rate register values in the uart_write() function. However it > does the "mask to the size of the register field" and "check for > invalid values" in the wrong order, which means that a malicious > guest can get a bogus value into the register by setting also some > high bits in the value, and cause QEMU to crash by division-by-zero. > > Do the mask before the bounds check instead of afterwards. > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493 > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Alistair > --- > hw/char/cadence_uart.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c > index c069a30842e..807e3985419 100644 > --- a/hw/char/cadence_uart.c > +++ b/hw/char/cadence_uart.c > @@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, hwaddr offset, > } > break; > case R_BRGR: /* Baud rate generator */ > + value &= 0xffff; > if (value >= 0x01) { > - s->r[offset] = value & 0xFFFF; > + s->r[offset] = value; > } > break; > case R_BDIV: /* Baud rate divider */ > + value &= 0xff; > if (value >= 0x04) { > - s->r[offset] = value & 0xFF; > + s->r[offset] = value; > } > break; > default: > -- > 2.34.1 > >
On 14/3/23 18:08, Peter Maydell wrote: > The cadence UART attempts to avoid allowing the guset to set invalid > baud rate register values in the uart_write() function. However it > does the "mask to the size of the register field" and "check for > invalid values" in the wrong order, which means that a malicious > guest can get a bogus value into the register by setting also some > high bits in the value, and cause QEMU to crash by division-by-zero. > > Do the mask before the bounds check instead of afterwards. > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493 > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> > --- > hw/char/cadence_uart.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
On 3/14/23 6:08 PM, Peter Maydell wrote: > The cadence UART attempts to avoid allowing the guset to set invalid > baud rate register values in the uart_write() function. However it > does the "mask to the size of the register field" and "check for > invalid values" in the wrong order, which means that a malicious > guest can get a bogus value into the register by setting also some > high bits in the value, and cause QEMU to crash by division-by-zero. > > Do the mask before the bounds check instead of afterwards. > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493 > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> > --- > hw/char/cadence_uart.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c > index c069a30842e..807e3985419 100644 > --- a/hw/char/cadence_uart.c > +++ b/hw/char/cadence_uart.c > @@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, hwaddr offset, > } > break; > case R_BRGR: /* Baud rate generator */ > + value &= 0xffff; > if (value >= 0x01) { > - s->r[offset] = value & 0xFFFF; > + s->r[offset] = value; > } > break; > case R_BDIV: /* Baud rate divider */ > + value &= 0xff; > if (value >= 0x04) { > - s->r[offset] = value & 0xFF; > + s->r[offset] = value; > } > break; > default: Tested on my side. Tested-by: Qiang Liu <cyruscyliu@gmail.com>
diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c index c069a30842e..807e3985419 100644 --- a/hw/char/cadence_uart.c +++ b/hw/char/cadence_uart.c @@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, hwaddr offset, } break; case R_BRGR: /* Baud rate generator */ + value &= 0xffff; if (value >= 0x01) { - s->r[offset] = value & 0xFFFF; + s->r[offset] = value; } break; case R_BDIV: /* Baud rate divider */ + value &= 0xff; if (value >= 0x04) { - s->r[offset] = value & 0xFF; + s->r[offset] = value; } break; default:
The cadence UART attempts to avoid allowing the guset to set invalid baud rate register values in the uart_write() function. However it does the "mask to the size of the register field" and "check for invalid values" in the wrong order, which means that a malicious guest can get a bogus value into the register by setting also some high bits in the value, and cause QEMU to crash by division-by-zero. Do the mask before the bounds check instead of afterwards. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/char/cadence_uart.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)