From patchwork Fri Jan 27 15:32:17 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 92673 Delivered-To: patch@linaro.org Received: by 10.140.20.99 with SMTP id 90csp290024qgi; Fri, 27 Jan 2017 07:35:16 -0800 (PST) X-Received: by 10.237.37.58 with SMTP id v55mr8648666qtc.15.1485531316910; Fri, 27 Jan 2017 07:35:16 -0800 (PST) Return-Path: Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11]) by mx.google.com with ESMTPS id v35si3640290qte.205.2017.01.27.07.35.16 for (version=TLS1 cipher=AES128-SHA bits=128/128); Fri, 27 Jan 2017 07:35:16 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1]:46270 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cX8YU-0002Qo-7v for patch@linaro.org; Fri, 27 Jan 2017 10:35:14 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59592) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cX8Vq-00011j-Ti for qemu-devel@nongnu.org; Fri, 27 Jan 2017 10:32:31 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cX8Vp-00056s-SC for qemu-devel@nongnu.org; Fri, 27 Jan 2017 10:32:30 -0500 Received: from orth.archaic.org.uk ([2001:8b0:1d0::2]:48310) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cX8Vp-000541-Lv for qemu-devel@nongnu.org; Fri, 27 Jan 2017 10:32:29 -0500 Received: from pm215 by orth.archaic.org.uk with local (Exim 4.84_2) (envelope-from ) id 1cX8Vo-0003Sq-R5 for qemu-devel@nongnu.org; Fri, 27 Jan 2017 15:32:28 +0000 From: Peter Maydell To: qemu-devel@nongnu.org Date: Fri, 27 Jan 2017 15:32:17 +0000 Message-Id: <1485531137-2362-23-git-send-email-peter.maydell@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1485531137-2362-1-git-send-email-peter.maydell@linaro.org> References: <1485531137-2362-1-git-send-email-peter.maydell@linaro.org> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:8b0:1d0::2 Subject: [Qemu-devel] [PULL 22/22] dma: omap: check dma channel data_type X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" From: Prasad J Pandit When setting dma channel 'data_type', if (value & 3) == 3, the set 'data_type' is said to be bad. This also leads to an OOB access in 'omap_dma_transfer_generic', while doing cpu_physical_memory_r/w operations. Add check to avoid it. Reported-by: Jiang Xin Signed-off-by: Prasad J Pandit Message-id: 20170127120528.30959-1-ppandit@redhat.com Reviewed-by: Peter Maydell Signed-off-by: Peter Maydell --- hw/dma/omap_dma.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) -- 2.7.4 diff --git a/hw/dma/omap_dma.c b/hw/dma/omap_dma.c index f6f86f9..45dfe7a 100644 --- a/hw/dma/omap_dma.c +++ b/hw/dma/omap_dma.c @@ -878,15 +878,17 @@ static int omap_dma_ch_reg_write(struct omap_dma_s *s, ch->burst[0] = (value & 0x0180) >> 7; ch->pack[0] = (value & 0x0040) >> 6; ch->port[0] = (enum omap_dma_port) ((value & 0x003c) >> 2); - ch->data_type = 1 << (value & 3); if (ch->port[0] >= __omap_dma_port_last) printf("%s: invalid DMA port %i\n", __FUNCTION__, ch->port[0]); if (ch->port[1] >= __omap_dma_port_last) printf("%s: invalid DMA port %i\n", __FUNCTION__, ch->port[1]); - if ((value & 3) == 3) + ch->data_type = 1 << (value & 3); + if ((value & 3) == 3) { printf("%s: bad data_type for DMA channel\n", __FUNCTION__); + ch->data_type >>= 1; + } break; case 0x02: /* SYS_DMA_CCR_CH0 */ @@ -1988,8 +1990,10 @@ static void omap_dma4_write(void *opaque, hwaddr addr, fprintf(stderr, "%s: bad MReqAddressTranslate sideband signal\n", __FUNCTION__); ch->data_type = 1 << (value & 3); - if ((value & 3) == 3) + if ((value & 3) == 3) { printf("%s: bad data_type for DMA channel\n", __FUNCTION__); + ch->data_type >>= 1; + } break; case 0x14: /* DMA4_CEN */