qemu/hw/char
Peter Maydell 0c88f93788 hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings
The cadence UART attempts to avoid allowing the guest to set invalid
baud rate register values in the uart_write() function.  However it
does the "mask to the size of the register field" and "check for
invalid values" in the wrong order, which means that a malicious
guest can get a bogus value into the register by setting also some
high bits in the value, and cause QEMU to crash by division-by-zero.

Do the mask before the bounds check instead of afterwards.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Edgar E. Iglesias <edgar@zeroasic.com>
Reviewed-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Qiang Liu <cyruscyliu@gmail.com>
Message-id: 20230314170804.1196232-1-peter.maydell@linaro.org
2023-03-21 11:54:39 +00:00
..
avr_usart.c qdev: Move softmmu properties to qdev-properties-system.h 2020-12-18 15:20:17 -05:00
bcm2835_aux.c qdev: Move softmmu properties to qdev-properties-system.h 2020-12-18 15:20:17 -05:00
cadence_uart.c hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings 2023-03-21 11:54:39 +00:00
cmsdk-apb-uart.c chardev: mark explicitly first argument as poisoned 2021-08-05 16:15:33 +04:00
debugcon.c qdev: Move softmmu properties to qdev-properties-system.h 2020-12-18 15:20:17 -05:00
digic-uart.c bulk: Rename TARGET_FMT_plx -> HWADDR_FMT_plx 2023-01-18 11:14:34 +01:00
escc.c hw/char: fix qcode array bounds check in ESCC impl 2022-04-26 16:12:26 +01:00
etraxfs_ser.c bulk: Rename TARGET_FMT_plx -> HWADDR_FMT_plx 2023-01-18 11:14:34 +01:00
exynos4210_uart.c Drop useless casts from g_malloc() & friends to pointer 2022-10-22 23:15:40 +02:00
goldfish_tty.c hw/m68k: Fix typo in SPDX tag 2021-11-09 10:11:27 +01:00
grlib_apbuart.c qdev: Move softmmu properties to qdev-properties-system.h 2020-12-18 15:20:17 -05:00
ibex_uart.c include/hw: Do not include "hw/registerfields.h" in headers that don't need it 2023-02-14 09:02:42 +01:00
imx_serial.c qdev: Move softmmu properties to qdev-properties-system.h 2020-12-18 15:20:17 -05:00
ipoctal232.c qdev: Move softmmu properties to qdev-properties-system.h 2020-12-18 15:20:17 -05:00
Kconfig hw/char: Add config for shakti uart 2021-09-01 11:59:12 +10:00
mcf_uart.c qdev: Move softmmu properties to qdev-properties-system.h 2020-12-18 15:20:17 -05:00
mchp_pfsoc_mmuart.c hw/char/mchp_pfsoc_mmuart: QOM'ify PolarFire MMUART 2021-10-07 08:41:33 +10:00
meson.build hw/xen: Build PV backend drivers for CONFIG_XEN_BUS 2023-03-07 17:04:30 +00:00
nrf51_uart.c chardev: mark explicitly first argument as poisoned 2021-08-05 16:15:33 +04:00
omap_uart.c hw/arm/omap: Drop useless casts from void * to pointer 2023-01-12 17:15:09 +00:00
parallel-isa.c isa: Convert uses of isa_create() with Coccinelle 2020-06-15 22:05:28 +02:00
parallel.c replace TABs with spaces 2023-03-20 12:43:50 +01:00
pl011.c hw/char/pl011: Un-inline pl011_create() 2023-02-27 13:27:05 +00:00
renesas_sci.c qdev: Move softmmu properties to qdev-properties-system.h 2020-12-18 15:20:17 -05:00
riscv_htif.c hw/riscv: spike: Decouple create_fdt() dependency to ELF loading 2023-01-20 10:14:13 +10:00
sclpconsole-lm.c qdev: Move softmmu properties to qdev-properties-system.h 2020-12-18 15:20:17 -05:00
sclpconsole.c qdev: Move softmmu properties to qdev-properties-system.h 2020-12-18 15:20:17 -05:00
serial-isa.c acpi: serial-is: replace ISADeviceClass::build_aml with AcpiDevAmlIfClass:build_dev_aml 2022-06-09 19:32:48 -04:00
serial-pci-multi.c include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
serial-pci.c include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
serial.c replace TABs with spaces 2023-03-20 12:43:50 +01:00
sh_serial.c hw/char/sh_serial: Add device id to trace output 2021-10-30 18:39:37 +02:00
shakti_uart.c hw/char: shakti_uart: Register device in 'input' category 2021-10-07 08:41:33 +10:00
sifive_uart.c cleanup: Tweak and re-run return_directly.cocci 2022-12-14 16:19:35 +01:00
spapr_vty.c Do not include cpu.h if it's not really necessary 2021-05-02 17:24:51 +02:00
stm32f2xx_usart.c Fix STM32F2XX USART data register readout 2021-12-15 10:11:34 +00:00
terminal3270.c s390x: css: report errors from ccw_dstream_read/write 2021-04-09 10:52:13 +02:00
trace-events hw/char/sh_serial: Add device id to trace output 2021-10-30 18:39:37 +02:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
virtio-console.c chardev: mark explicitly first argument as poisoned 2021-08-05 16:15:33 +04:00
virtio-serial-bus.c virtio: drop name parameter for virtio_init() 2022-05-16 04:38:40 -04:00
xen_console.c hw/xen: Move xenstore_store_pv_console_info to xen_console.c 2023-03-07 17:04:30 +00:00
xilinx_uartlite.c hw/char/xilinx_uartlite: Expose XILINX_UARTLITE QOM type 2023-02-27 13:27:05 +00:00