haraldwolff/qemu-patch-raspberry4
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
qemu-patch-raspberry4/hw
History
Philippe Mathieu-Daudé 6e4ed42397 hw/hppa/dino: Fix reg800_keep_bits overrun (CID 1419387 1419393 1419394) 
Coverity reports:

  *** CID 1419387:  Memory - illegal accesses  (OVERRUN)
  /hw/hppa/dino.c: 267 in dino_chip_read_with_attrs()
  261             val = s->ilr & s->imr & s->icr;
  262             break;
  263         case DINO_TOC_ADDR:
  264             val = s->toc_addr;
  265             break;
  266         case DINO_GMASK ... DINO_TLTIM:
  >>>     CID 1419387:  Memory - illegal accesses  (OVERRUN)
  >>>     Overrunning array "s->reg800" of 12 4-byte elements at element index 12 (byte offset 48) using index "(addr - 2048UL) / 4UL" (which evaluates to 12).
  267             val = s->reg800[(addr - DINO_GMASK) / 4];
  268             if (addr == DINO_PAMR) {
  269                 val &= ~0x01;  /* LSB is hardwired to 0 */
  270             }
  271             if (addr == DINO_MLTIM) {
  272                 val &= ~0x07;  /* 3 LSB are hardwired to 0 */

  *** CID 1419393:  Memory - corruptions  (OVERRUN)
  /hw/hppa/dino.c: 363 in dino_chip_write_with_attrs()
  357             /* These registers are read-only.  */
  358             break;
  359
  360         case DINO_GMASK ... DINO_TLTIM:
  361             i = (addr - DINO_GMASK) / 4;
  362             val &= reg800_keep_bits[i];
  >>>     CID 1419393:  Memory - corruptions  (OVERRUN)
  >>>     Overrunning array "s->reg800" of 12 4-byte elements at element index 12 (byte offset 48) using index "i" (which evaluates to 12).
  363             s->reg800[i] = val;
  364             break;
  365
  366         default:
  367             /* Controlled by dino_chip_mem_valid above.  */
  368             g_assert_not_reached();

  *** CID 1419394:  Memory - illegal accesses  (OVERRUN)
  /hw/hppa/dino.c: 362 in dino_chip_write_with_attrs()
  356         case DINO_IRR1:
  357             /* These registers are read-only.  */
  358             break;
  359
  360         case DINO_GMASK ... DINO_TLTIM:
  361             i = (addr - DINO_GMASK) / 4;
  >>>     CID 1419394:  Memory - illegal accesses  (OVERRUN)
  >>>     Overrunning array "reg800_keep_bits" of 12 4-byte elements at element index 12 (byte offset 48) using index "i" (which evaluates to 12).
  362             val &= reg800_keep_bits[i];
  363             s->reg800[i] = val;
  364             break;
  365
  366         default:
  367             /* Controlled by dino_chip_mem_valid above.  */

Indeed the array should contain 13 entries, the undocumented
register 0x82c is missing. Fix by increasing the array size
and adding the missing register.

CID 1419387 can be verified with:

  $ echo x 0xfff80830 | hppa-softmmu/qemu-system-hppa -S -monitor stdio -display none
  QEMU 4.2.50 monitor - type 'help' for more information
  (qemu) x 0xfff80830
  qemu/hw/hppa/dino.c:267:15: runtime error: index 12 out of bounds for type 'uint32_t [12]'
  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/phil/source/qemu/hw/hppa/dino.c:267:15 in
  00000000fff80830: 0x00000000

and CID 1419393/1419394 with:

  $ echo writeb 0xfff80830 0x69 \
    | hppa-softmmu/qemu-system-hppa -S -accel qtest -qtest stdio -display none
  [I 1581634452.654113] OPENED
  [R +4.105415] writeb 0xfff80830 0x69
  qemu/hw/hppa/dino.c:362:16: runtime error: index 12 out of bounds for type 'const uint32_t [12]'
  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior qemu/hw/hppa/dino.c:362:16 in
  =================================================================
  ==29607==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5577dae32f30 at pc 0x5577d93f2463 bp 0x7ffd97ea11b0 sp 0x7ffd97ea11a8
  READ of size 4 at 0x5577dae32f30 thread T0
      #0 0x5577d93f2462 in dino_chip_write_with_attrs qemu/hw/hppa/dino.c:362:16
      #1 0x5577d9025664 in memory_region_write_with_attrs_accessor qemu/memory.c:503:12
      #2 0x5577d9024920 in access_with_adjusted_size qemu/memory.c:539:18
      #3 0x5577d9023608 in memory_region_dispatch_write qemu/memory.c:1482:13
      #4 0x5577d8e3177a in flatview_write_continue qemu/exec.c:3166:23
      #5 0x5577d8e20357 in flatview_write qemu/exec.c:3206:14
      #6 0x5577d8e1fef4 in address_space_write qemu/exec.c:3296:18
      #7 0x5577d8e20693 in address_space_rw qemu/exec.c:3306:16
      #8 0x5577d9011595 in qtest_process_command qemu/qtest.c:432:13
      #9 0x5577d900d19f in qtest_process_inbuf qemu/qtest.c:705:9
      #10 0x5577d900ca22 in qtest_read qemu/qtest.c:717:5
      #11 0x5577da8c4254 in qemu_chr_be_write_impl qemu/chardev/char.c:183:9
      #12 0x5577da8c430c in qemu_chr_be_write qemu/chardev/char.c:195:9
      #13 0x5577da8cf587 in fd_chr_read qemu/chardev/char-fd.c:68:9
      #14 0x5577da9836cd in qio_channel_fd_source_dispatch qemu/io/channel-watch.c:84:12
      #15 0x7faf44509ecc in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x4fecc)
      #16 0x5577dab75f96 in glib_pollfds_poll qemu/util/main-loop.c:219:9
      #17 0x5577dab74797 in os_host_main_loop_wait qemu/util/main-loop.c:242:5
      #18 0x5577dab7435a in main_loop_wait qemu/util/main-loop.c:518:11
      #19 0x5577d9514eb3 in main_loop qemu/vl.c:1682:9
      #20 0x5577d950699d in main qemu/vl.c:4450:5
      #21 0x7faf41a87f42 in __libc_start_main (/lib64/libc.so.6+0x23f42)
      #22 0x5577d8cd4d4d in _start (qemu/build/sanitizer/hppa-softmmu/qemu-system-hppa+0x1256d4d)

  0x5577dae32f30 is located 0 bytes to the right of global variable 'reg800_keep_bits' defined in 'qemu/hw/hppa/dino.c:87:23' (0x5577dae32f00) of size 48
  SUMMARY: AddressSanitizer: global-buffer-overflow qemu/hw/hppa/dino.c:362:16 in dino_chip_write_with_attrs
  Shadow bytes around the buggy address:
    0x0aaf7b5be590: 00 f9 f9 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9
    0x0aaf7b5be5a0: 07 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
    0x0aaf7b5be5b0: 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
    0x0aaf7b5be5c0: 00 00 00 02 f9 f9 f9 f9 00 00 00 00 00 00 00 00
    0x0aaf7b5be5d0: 00 00 00 00 00 00 00 00 00 00 00 03 f9 f9 f9 f9
  =>0x0aaf7b5be5e0: 00 00 00 00 00 00[f9]f9 f9 f9 f9 f9 00 00 00 00
    0x0aaf7b5be5f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0aaf7b5be600: 00 00 01 f9 f9 f9 f9 f9 00 00 00 00 07 f9 f9 f9
    0x0aaf7b5be610: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
    0x0aaf7b5be620: 00 00 00 05 f9 f9 f9 f9 00 00 00 00 07 f9 f9 f9
    0x0aaf7b5be630: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Partially addressable: 01 02 03 04 05 06 07
    Heap left redzone:       fa
    Freed heap region:       fd
    Stack left redzone:      f1
    Stack mid redzone:       f2
    Stack right redzone:     f3
    Stack after return:      f5
    Stack use after scope:   f8
    Global redzone:          f9
    Global init order:       f6
    Poisoned by user:        f7
    Container overflow:      fc
    Array cookie:            ac
    Intra object redzone:    bb
    ASan internal:           fe
    Left alloca redzone:     ca
    Right alloca redzone:    cb
    Shadow gap:              cc
  ==29607==ABORTING

Fixes: Covertiy CID 1419387 / 1419393 / 1419394 (commit 18092598a5)
Acked-by: Helge Deller <deller@gmx.de>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20200218063355.18577-3-f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2020-02-18 11:22:10 -08:00
..
9pfs hw/9pfs/9p-synth: added directory for readdir test 2020-02-08 09:29:04 +01:00
acpi * Register qdev properties as class properties (Marc-André) 2020-01-27 09:44:04 +00:00
adc hw/*/Makefile.objs: Move many .o files to common-objs 2020-02-04 09:00:57 +01:00
alpha hw/core/loader: Let load_elf() populate a field with CPU-specific flags 2020-01-29 19:28:52 +01:00
arm hw/arm/raspi: Extract the cores count from the board revision 2020-02-13 14:30:51 +00:00
audio add device_legacy_reset function to prepare for reset api change 2020-01-30 16:02:03 +00:00
block hw/*/Makefile.objs: Move many .o files to common-objs 2020-02-04 09:00:57 +01:00
char hw/char/exynos4210_uart: Fix memleaks in exynos4210_uart_init 2020-02-13 14:14:55 +00:00
core qxl: introduce hardware revision 5 2020-02-13 08:31:40 +01:00
cpu qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
cris hw/core/loader: Let load_elf() populate a field with CPU-specific flags 2020-01-29 19:28:52 +01:00
display hw/display/artist: Remove dead code (CID 1419388 & 1419389) 2020-02-18 11:21:47 -08:00
dma bcm2835_dma: Re-initialize xlen in TD mode 2020-02-07 14:04:28 +00:00
gpio hw/*/Makefile.objs: Move many .o files to common-objs 2020-02-04 09:00:57 +01:00
hppa hw/hppa/dino: Fix reg800_keep_bits overrun (CID 1419387 1419393 1419394) 2020-02-18 11:22:10 -08:00
hyperv add device_legacy_reset function to prepare for reset api change 2020-01-30 16:02:03 +00:00
i2c aspeed/i2c: Prevent uninitialized warning 2020-02-06 11:13:24 +01:00
i386 hw/i386/vmmouse: Fix crash when using the vmmouse on a machine without vmport 2020-02-06 11:02:48 +01:00
ide add device_legacy_reset function to prepare for reset api change 2020-01-30 16:02:03 +00:00
input hw/input: Do not enable CONFIG_PCKBD by default 2020-02-04 09:01:31 +01:00
intc ppc/pnv: Add models for POWER8 PHB3 PCIe Host bridge 2020-02-02 14:07:57 +11:00
ipack qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
ipmi qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
isa hw/input: Do not enable CONFIG_PCKBD by default 2020-02-04 09:01:31 +01:00
lm32 hw/core/loader: Let load_elf() populate a field with CPU-specific flags 2020-01-29 19:28:52 +01:00
m68k hw/core/loader: Let load_elf() populate a field with CPU-specific flags 2020-01-29 19:28:52 +01:00
mem qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
microblaze hw/core/loader: Let load_elf() populate a field with CPU-specific flags 2020-01-29 19:28:52 +01:00
mips hw/core/loader: Let load_elf() populate a field with CPU-specific flags 2020-01-29 19:28:52 +01:00
misc i.MX: Fix inverted register bits in wdt code. 2020-02-13 14:14:52 +00:00
moxie hw/core/loader: Let load_elf() populate a field with CPU-specific flags 2020-01-29 19:28:52 +01:00
net hw/*/Makefile.objs: Move many .o files to common-objs 2020-02-04 09:00:57 +01:00
nios2 hw/core/loader: Let load_elf() populate a field with CPU-specific flags 2020-01-29 19:28:52 +01:00
nubus hw/m68k: add Nubus support 2019-10-28 19:06:47 +01:00
nvram hw/*/Makefile.objs: Move many .o files to common-objs 2020-02-04 09:00:57 +01:00
openrisc hw/core/loader: Let load_elf() populate a field with CPU-specific flags 2020-01-29 19:28:52 +01:00
pci qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
pci-bridge qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
pci-host ppc/pnv: change the PowerNV machine devices to be non user creatable 2020-02-02 14:07:57 +11:00
pcmcia hw/*/Makefile.objs: Move many .o files to common-objs 2020-02-04 09:00:57 +01:00
ppc ppc: spapr: Activate the FWNMI functionality 2020-02-03 11:33:11 +11:00
rdma qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
riscv riscv: virt: Use Goldfish RTC device 2020-02-10 12:01:38 -08:00
rtc hw: rtc: Add Goldfish RTC device 2020-02-10 12:01:37 -08:00
s390x hw/s390x/ipl: replace deprecated qdev_reset_all registration 2020-01-30 16:02:05 +00:00
scsi add device_legacy_reset function to prepare for reset api change 2020-01-30 16:02:03 +00:00
sd hw/*/Makefile.objs: Move many .o files to common-objs 2020-02-04 09:00:57 +01:00
semihosting semihosting: add qemu_semihosting_console_inc for SYS_READC 2020-01-09 11:41:29 +00:00
sh4 sm501: make SerialMM a child, export chardev property 2020-01-07 17:24:29 +04:00
smbios hw/smbios/smbios: Remove unused include 2020-02-06 10:38:57 +01:00
sparc hw/core/loader: Let load_elf() populate a field with CPU-specific flags 2020-01-29 19:28:52 +01:00
sparc64 hw/core/loader: Let load_elf() populate a field with CPU-specific flags 2020-01-29 19:28:52 +01:00
ssi hw/*/Makefile.objs: Move many .o files to common-objs 2020-02-04 09:00:57 +01:00
timer stm32f2xx_timer: delay timer_new to avoid memleaks 2020-02-07 14:04:28 +00:00
tpm hw/ppc/Kconfig: Enable TPM_SPAPR as part of PSERIES config 2020-02-02 14:07:57 +11:00
tricore hw/core/loader: Let load_elf() populate a field with CPU-specific flags 2020-01-29 19:28:52 +01:00
unicore32 Include hw/irq.h a lot less 2019-08-16 13:31:52 +02:00
usb uas: fix super speed bMaxPacketSize0 2020-02-12 17:20:41 +01:00
vfio hw/vfio: Move the IGD quirk code to a separate file 2020-02-06 11:55:42 -07:00
virtio * Register qdev properties as class properties (Marc-André) 2020-01-27 09:44:04 +00:00
watchdog qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
xen qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
xenpv trivial: Remove xenfb_enabled from sysemu.h 2020-02-04 09:00:57 +01:00
xtensa hw/core/loader: Let load_elf() populate a field with CPU-specific flags 2020-01-29 19:28:52 +01:00
Kconfig Remove the core bluetooth code 2019-12-17 09:01:14 +01:00
Makefile.objs Remove the core bluetooth code 2019-12-17 09:01:14 +01:00