[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 07/46] hw/misc: Fix arith overflow in NPCM7XX PWM module
From: |
Peter Maydell |
Subject: |
[PULL 07/46] hw/misc: Fix arith overflow in NPCM7XX PWM module |
Date: |
Fri, 29 Jan 2021 10:59:33 +0000 |
From: Hao Wu <wuhaotsh@google.com>
Fix potential overflow problem when calculating pwm_duty.
1. Ensure p->cmr and p->cnr to be from [0,65535], according to the
hardware specification.
2. Changed duty to uint32_t. However, since MAX_DUTY * (p->cmr+1)
can excceed UINT32_MAX, we convert them to uint64_t in computation
and converted them back to uint32_t.
(duty is guaranteed to be <= MAX_DUTY so it won't overflow.)
Fixes: CID 1442342
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Doug Evans <dje@google.com>
Signed-off-by: Hao Wu <wuhaotsh@google.com>
Message-id: 20210127011142.2122790-1-wuhaotsh@google.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/misc/npcm7xx_pwm.c | 23 +++++++++++++++++++----
tests/qtest/npcm7xx_pwm-test.c | 4 ++--
2 files changed, 21 insertions(+), 6 deletions(-)
diff --git a/hw/misc/npcm7xx_pwm.c b/hw/misc/npcm7xx_pwm.c
index e99e3cc7ef3..dabcb6c0f95 100644
--- a/hw/misc/npcm7xx_pwm.c
+++ b/hw/misc/npcm7xx_pwm.c
@@ -58,6 +58,9 @@ REG32(NPCM7XX_PWM_PWDR3, 0x50);
#define NPCM7XX_CH_INV BIT(2)
#define NPCM7XX_CH_MOD BIT(3)
+#define NPCM7XX_MAX_CMR 65535
+#define NPCM7XX_MAX_CNR 65535
+
/* Offset of each PWM channel's prescaler in the PPR register. */
static const int npcm7xx_ppr_base[] = { 0, 0, 8, 8 };
/* Offset of each PWM channel's clock selector in the CSR register. */
@@ -96,7 +99,7 @@ static uint32_t npcm7xx_pwm_calculate_freq(NPCM7xxPWM *p)
static uint32_t npcm7xx_pwm_calculate_duty(NPCM7xxPWM *p)
{
- uint64_t duty;
+ uint32_t duty;
if (p->running) {
if (p->cnr == 0) {
@@ -104,7 +107,7 @@ static uint32_t npcm7xx_pwm_calculate_duty(NPCM7xxPWM *p)
} else if (p->cmr >= p->cnr) {
duty = NPCM7XX_PWM_MAX_DUTY;
} else {
- duty = NPCM7XX_PWM_MAX_DUTY * (p->cmr + 1) / (p->cnr + 1);
+ duty = (uint64_t)NPCM7XX_PWM_MAX_DUTY * (p->cmr + 1) / (p->cnr +
1);
}
} else {
duty = 0;
@@ -357,7 +360,13 @@ static void npcm7xx_pwm_write(void *opaque, hwaddr offset,
case A_NPCM7XX_PWM_CNR2:
case A_NPCM7XX_PWM_CNR3:
p = &s->pwm[npcm7xx_cnr_index(offset)];
- p->cnr = value;
+ if (value > NPCM7XX_MAX_CNR) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: invalid cnr value: %u", __func__, value);
+ p->cnr = NPCM7XX_MAX_CNR;
+ } else {
+ p->cnr = value;
+ }
npcm7xx_pwm_update_output(p);
break;
@@ -366,7 +375,13 @@ static void npcm7xx_pwm_write(void *opaque, hwaddr offset,
case A_NPCM7XX_PWM_CMR2:
case A_NPCM7XX_PWM_CMR3:
p = &s->pwm[npcm7xx_cmr_index(offset)];
- p->cmr = value;
+ if (value > NPCM7XX_MAX_CMR) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: invalid cmr value: %u", __func__, value);
+ p->cmr = NPCM7XX_MAX_CMR;
+ } else {
+ p->cmr = value;
+ }
npcm7xx_pwm_update_output(p);
break;
diff --git a/tests/qtest/npcm7xx_pwm-test.c b/tests/qtest/npcm7xx_pwm-test.c
index 63557d2c061..3d82654b81a 100644
--- a/tests/qtest/npcm7xx_pwm-test.c
+++ b/tests/qtest/npcm7xx_pwm-test.c
@@ -272,7 +272,7 @@ static uint64_t pwm_compute_freq(QTestState *qts, uint32_t
ppr, uint32_t csr,
static uint64_t pwm_compute_duty(uint32_t cnr, uint32_t cmr, bool inverted)
{
- uint64_t duty;
+ uint32_t duty;
if (cnr == 0) {
/* PWM is stopped. */
@@ -280,7 +280,7 @@ static uint64_t pwm_compute_duty(uint32_t cnr, uint32_t
cmr, bool inverted)
} else if (cmr >= cnr) {
duty = MAX_DUTY;
} else {
- duty = MAX_DUTY * (cmr + 1) / (cnr + 1);
+ duty = (uint64_t)MAX_DUTY * (cmr + 1) / (cnr + 1);
}
if (inverted) {
--
2.20.1
- [PULL 00/46] target-arm queue, Peter Maydell, 2021/01/29
- [PULL 05/46] arm-virt: refactor gpios creation, Peter Maydell, 2021/01/29
- [PULL 01/46] target/arm: Implement ID_PFR2, Peter Maydell, 2021/01/29
- [PULL 03/46] arm: rename xlnx-zcu102.canbusN properties, Peter Maydell, 2021/01/29
- [PULL 06/46] arm-virt: add secure pl061 for reset/power down, Peter Maydell, 2021/01/29
- [PULL 02/46] target/arm: Conditionalize DBGDIDR, Peter Maydell, 2021/01/29
- [PULL 09/46] configure: Move preadv check to meson.build, Peter Maydell, 2021/01/29
- [PULL 11/46] osdep: build with non-working system() function, Peter Maydell, 2021/01/29
- [PULL 07/46] hw/misc: Fix arith overflow in NPCM7XX PWM module,
Peter Maydell <=
- [PULL 08/46] target/arm: Replace magic value by MMU_DATA_LOAD definition, Peter Maydell, 2021/01/29
- [PULL 04/46] hw: gpio: implement gpio-pwr driver for qemu reset/poweroff, Peter Maydell, 2021/01/29
- [PULL 13/46] darwin: fix cross-compiling for Darwin, Peter Maydell, 2021/01/29
- [PULL 10/46] configure: cross-compiling with empty cross_prefix, Peter Maydell, 2021/01/29
- [PULL 12/46] darwin: remove redundant dependency declaration, Peter Maydell, 2021/01/29
- [PULL 14/46] configure: cross compile should use x86_64 cpu_family, Peter Maydell, 2021/01/29
- [PULL 16/46] darwin: remove 64-bit build detection on 32-bit OS, Peter Maydell, 2021/01/29
- [PULL 19/46] hw/misc/pvpanic: add PCI interface support, Peter Maydell, 2021/01/29
- [PULL 18/46] hw/misc/pvpanic: split-out generic and bus dependent code, Peter Maydell, 2021/01/29
- [PULL 15/46] darwin: detect CoreAudio for build, Peter Maydell, 2021/01/29