+-- On Thu, 25 Oct 2018, Peter Maydell wrote --+ | Hi; thanks for this patch. Looking at the SA1110 manual, | it says that writes to the reserved bits [31:28] are | ignored. So I think that rather than doing this check | here, we should do what the strongarm_ppc_* code in the | same file does -- mask off the high bits for writes to | the direction and state registers. Then it will not | be possible for high bits to be set here that cause an | out-of-range array access.
=== diff --git a/hw/arm/strongarm.c b/hw/arm/strongarm.c index ec2627374d..dd8c4b1f2e 100644 --- a/hw/arm/strongarm.c +++ b/hw/arm/strongarm.c @@ -587,12 +587,12 @@ static void strongarm_gpio_write(void *opaque, hwaddr offset, switch (offset) { case GPDR: /* GPIO Pin-Direction registers */ - s->dir = value; + s->dir = value & 0x3fffff; strongarm_gpio_handler_update(s); break; case GPSR: /* GPIO Pin-Output Set registers */ - s->olevel |= value; + s->olevel |= value & 0x3fffff; strongarm_gpio_handler_update(s); break; === does this seem okay? | Side note: this device is used only in the "collie" | machine model, which only works via TCG, so this is | not a security issue, just a bug (which will only be | visible if the guest is buggy.) Cool, thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F