The cadence UART attempts to avoid allowing the guest to set invalid baud rate register values in the uart_write() function. However it does the "mask to the size of the register field" and "check for invalid values" in the wrong order, which means that a malicious guest can get a bogus value into the register by setting also some high bits in the value, and cause QEMU to crash by division-by-zero.
Do the mask before the bounds check instead of afterwards. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493 Signed-off-by: Peter Maydell <peter.mayd...@linaro.org> Reviewed-by: Thomas Huth <th...@redhat.com> Reviewed-by: Edgar E. Iglesias <ed...@zeroasic.com> Reviewed-by: Wilfred Mallawa <wilfred.mall...@wdc.com> Reviewed-by: Alistair Francis <alistair.fran...@wdc.com> Reviewed-by: Philippe Mathieu-Daudé <phi...@linaro.org> Tested-by: Qiang Liu <cyruscy...@gmail.com> Message-id: 20230314170804.1196232-1-peter.mayd...@linaro.org --- hw/char/cadence_uart.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c index c069a30842e..807e3985419 100644 --- a/hw/char/cadence_uart.c +++ b/hw/char/cadence_uart.c @@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, hwaddr offset, } break; case R_BRGR: /* Baud rate generator */ + value &= 0xffff; if (value >= 0x01) { - s->r[offset] = value & 0xFFFF; + s->r[offset] = value; } break; case R_BDIV: /* Baud rate divider */ + value &= 0xff; if (value >= 0x04) { - s->r[offset] = value & 0xFF; + s->r[offset] = value; } break; default: -- 2.34.1