All of lore.kernel.org
 help / color / mirror / Atom feed

From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Alexander Bulekov" <alxndr@bu.edu>,
	"Philippe Mathieu-Daudé" <f4bug@amsat.org>,
	qemu-stable@nongnu.org
Subject: [PULL 05/20] hw/isa/lpc_ich9: Ignore reserved/invalid SCI IRQ
Date: Wed,  4 Nov 2020 10:01:38 -0500	[thread overview]
Message-ID: <20201104150153.541326-6-pbonzini@redhat.com> (raw)
In-Reply-To: <20201104150153.541326-1-pbonzini@redhat.com>

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

libFuzzer triggered the following assertion:

  cat << EOF | qemu-system-i386 -M pc-q35-5.0 \
    -nographic -monitor none -serial none \
    -qtest stdio -d guest_errors -trace pci\*
  outl 0xcf8 0x8400f841
  outl 0xcfc 0xebed205d
  outl 0x5d02 0xedf82049
  EOF
  pci_cfg_write ICH9-LPC 31:0 @0x41 <- 0xebed205d
  hw/pci/pci.c:268: int pci_bus_get_irq_level(PCIBus *, int): Assertion `irq_num < bus->nirq' failed.

This is because ich9_lpc_sci_irq() returns -1 for reserved
(illegal) values, but ich9_lpc_pmbase_sci_update() considers
it valid and store it in a 8-bit unsigned type. Then the 255
value is used as GSI IRQ, resulting in a PIRQ value of 247,
more than ICH9_LPC_NB_PIRQS (8).

Fix by simply ignoring the invalid access (and reporting it):

  pci_cfg_write ICH9-LPC 31:0 @0x41 <- 0xebed205d
  ICH9 LPC: SCI IRQ SEL #3 is reserved
  pci_cfg_read mch 00:0 @0x0 -> 0x8086
  pci_cfg_read mch 00:0 @0x0 -> 0x29c08086
  ...

Cc: qemu-stable@nongnu.org
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Fixes: 8f242cb724 ("ich9: implement SCI_IRQ_SEL register")
BugLink: https://bugs.launchpad.net/qemu/+bug/1878642
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20200717151705.18611-1-f4bug@amsat.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 hw/isa/lpc_ich9.c      | 14 +++++++++++---
 include/hw/i386/ich9.h |  1 +
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/hw/isa/lpc_ich9.c b/hw/isa/lpc_ich9.c
index 04e5323140..087a18d04d 100644
--- a/hw/isa/lpc_ich9.c
+++ b/hw/isa/lpc_ich9.c
@@ -29,6 +29,7 @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu/log.h"
 #include "cpu.h"
 #include "qapi/visitor.h"
 #include "qemu/range.h"
@@ -312,10 +313,12 @@ void ich9_generate_smi(void)
     cpu_interrupt(first_cpu, CPU_INTERRUPT_SMI);
 }
 
+/* Returns -1 on error, IRQ number on success */
 static int ich9_lpc_sci_irq(ICH9LPCState *lpc)
 {
-    switch (lpc->d.config[ICH9_LPC_ACPI_CTRL] &
-            ICH9_LPC_ACPI_CTRL_SCI_IRQ_SEL_MASK) {
+    uint8_t sel = lpc->d.config[ICH9_LPC_ACPI_CTRL] &
+                  ICH9_LPC_ACPI_CTRL_SCI_IRQ_SEL_MASK;
+    switch (sel) {
     case ICH9_LPC_ACPI_CTRL_9:
         return 9;
     case ICH9_LPC_ACPI_CTRL_10:
@@ -328,6 +331,8 @@ static int ich9_lpc_sci_irq(ICH9LPCState *lpc)
         return 21;
     default:
         /* reserved */
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "ICH9 LPC: SCI IRQ SEL #%u is reserved\n", sel);
         break;
     }
     return -1;
@@ -459,7 +464,7 @@ ich9_lpc_pmbase_sci_update(ICH9LPCState *lpc)
 {
     uint32_t pm_io_base = pci_get_long(lpc->d.config + ICH9_LPC_PMBASE);
     uint8_t acpi_cntl = pci_get_long(lpc->d.config + ICH9_LPC_ACPI_CTRL);
-    uint8_t new_gsi;
+    int new_gsi;
 
     if (acpi_cntl & ICH9_LPC_ACPI_CTRL_ACPI_EN) {
         pm_io_base &= ICH9_LPC_PMBASE_BASE_ADDRESS_MASK;
@@ -470,6 +475,9 @@ ich9_lpc_pmbase_sci_update(ICH9LPCState *lpc)
     ich9_pm_iospace_update(&lpc->pm, pm_io_base);
 
     new_gsi = ich9_lpc_sci_irq(lpc);
+    if (new_gsi == -1) {
+        return;
+    }
     if (lpc->sci_level && new_gsi != lpc->sci_gsi) {
         qemu_set_irq(lpc->pm.irq, 0);
         lpc->sci_gsi = new_gsi;
diff --git a/include/hw/i386/ich9.h b/include/hw/i386/ich9.h
index 294024be5f..d1ea000d3d 100644
--- a/include/hw/i386/ich9.h
+++ b/include/hw/i386/ich9.h
@@ -144,6 +144,7 @@ struct ICH9LPCState {
 #define ICH9_LPC_PMBASE_BASE_ADDRESS_MASK       Q35_MASK(32, 15, 7)
 #define ICH9_LPC_PMBASE_RTE                     0x1
 #define ICH9_LPC_PMBASE_DEFAULT                 0x1
+
 #define ICH9_LPC_ACPI_CTRL                      0x44
 #define ICH9_LPC_ACPI_CTRL_ACPI_EN              0x80
 #define ICH9_LPC_ACPI_CTRL_SCI_IRQ_SEL_MASK     Q35_MASK(8, 2, 0)
-- 
2.26.2

next prev parent reply	other threads:[~2020-11-04 15:08 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-04 15:01 [PULL 00/20] Misc patches for QEMU 5.2-rc1 Paolo Bonzini
2020-11-04 15:01 ` [PULL 01/20] cutils: replace strdup with g_strdup Paolo Bonzini
2020-11-04 15:01 ` [PULL 02/20] docs: expand sourceset documentation Paolo Bonzini
2020-11-04 15:01 ` [PULL 03/20] exec: Remove dead code (CID 1432876) Paolo Bonzini
2020-11-04 15:01 ` [PULL 04/20] scripts/oss-fuzz: rename bin/qemu-fuzz-i386 Paolo Bonzini
2020-11-04 15:01 ` Paolo Bonzini [this message]
2020-11-04 15:01 ` [PULL 06/20] qtest: add a reproducer for LP#1878642 Paolo Bonzini
2020-11-04 15:01 ` [PULL 07/20] meson: use b_staticpic=false for meson >=0.56.0 Paolo Bonzini
2020-11-04 15:01 ` [PULL 08/20] meson: vhost-user-gpu/virtiofsd: use absolute path Paolo Bonzini
2020-11-04 15:01 ` [PULL 09/20] tests/qtest/libqtest.c: Check for setsockopt() failure Paolo Bonzini
2020-11-04 15:01 ` [PULL 10/20] tests/qtest/libqos/ahci.c: Avoid NULL dereference in ahci_exec() Paolo Bonzini
2020-11-04 15:01 ` [PULL 11/20] meson: fix warning for bad sphinx-build Paolo Bonzini
2020-11-04 15:01 ` [PULL 12/20] configure: fix gio_libs reference Paolo Bonzini
2020-11-04 15:01 ` [PULL 13/20] tests/qtest: Fix potential NULL pointer dereference in qos_build_main_args() Paolo Bonzini
2020-11-04 15:01 ` [PULL 14/20] fuzz: fix writing DMA patterns Paolo Bonzini
2020-11-04 15:01 ` [PULL 15/20] fuzz: check the MR in the DMA callback Paolo Bonzini
2020-11-04 15:01 ` [PULL 16/20] fuzz: fuzz offsets within pio/mmio regions Paolo Bonzini
2020-11-04 15:01 ` [PULL 17/20] semihosting: fix order of initialization functions Paolo Bonzini
2020-11-04 15:01 ` [PULL 18/20] qapi, qemu-options: make all parsing visitors parse boolean options the same Paolo Bonzini
2020-11-04 15:01 ` [PULL 19/20] ivshmem-test: do not use short-form boolean option Paolo Bonzini
2020-11-04 15:01 ` [PULL 20/20] qtest: escape device name in device-introspect-test Paolo Bonzini

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:04e532314 dfblob:294024be5 dfblob:087a18d04 dfblob:d1ea000d3
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201104150153.541326-6-pbonzini@redhat.com \
    --to=pbonzini@redhat.com \
    --cc=alxndr@bu.edu \
    --cc=f4bug@amsat.org \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu-stable@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.