qemu/include/hw
Philippe Mathieu-Daudé 4177b062fc hw/isa/lpc_ich9: Ignore reserved/invalid SCI IRQ
libFuzzer triggered the following assertion:

  cat << EOF | qemu-system-i386 -M pc-q35-5.0 \
    -nographic -monitor none -serial none \
    -qtest stdio -d guest_errors -trace pci\*
  outl 0xcf8 0x8400f841
  outl 0xcfc 0xebed205d
  outl 0x5d02 0xedf82049
  EOF
  pci_cfg_write ICH9-LPC 31:0 @0x41 <- 0xebed205d
  hw/pci/pci.c:268: int pci_bus_get_irq_level(PCIBus *, int): Assertion `irq_num < bus->nirq' failed.

This is because ich9_lpc_sci_irq() returns -1 for reserved
(illegal) values, but ich9_lpc_pmbase_sci_update() considers
it valid and store it in a 8-bit unsigned type. Then the 255
value is used as GSI IRQ, resulting in a PIRQ value of 247,
more than ICH9_LPC_NB_PIRQS (8).

Fix by simply ignoring the invalid access (and reporting it):

  pci_cfg_write ICH9-LPC 31:0 @0x41 <- 0xebed205d
  ICH9 LPC: SCI IRQ SEL #3 is reserved
  pci_cfg_read mch 00:0 @0x0 -> 0x8086
  pci_cfg_read mch 00:0 @0x0 -> 0x29c08086
  ...

Cc: qemu-stable@nongnu.org
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Fixes: 8f242cb724 ("ich9: implement SCI_IRQ_SEL register")
BugLink: https://bugs.launchpad.net/qemu/+bug/1878642
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20200717151705.18611-1-f4bug@amsat.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-11-03 09:42:53 -05:00
..
acpi qom: fix objects with improper parent type 2020-10-12 11:50:22 -04:00
adc Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
arm hw/arm/raspi: add a skeleton implementation of the CPRMAN 2020-10-27 11:10:44 +00:00
audio qom: Put name parameter before value / visitor parameter 2020-07-10 15:18:08 +02:00
block Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
char hw/char/pl011: add a clock input 2020-10-27 11:10:44 +00:00
core cpus: Drop declaration of cpu_remove() 2020-10-27 16:48:49 +01:00
cpu Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
cris sysbus: Convert to sysbus_realize() etc. with Coccinelle 2020-06-15 22:05:28 +02:00
display edid: use physical dimensions if available 2020-09-29 10:08:25 +02:00
dma Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
firmware machine: Refactor smp-related call chains to pass MachineState 2019-07-05 17:07:36 -03:00
gpio hw/gpio: Add GPIO model for Nuvoton NPCM7xx 2020-10-27 11:10:32 +00:00
hyperv Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
i2c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
i386 hw/isa/lpc_ich9: Ignore reserved/invalid SCI IRQ 2020-11-03 09:42:53 -05:00
ide ide: remove magic constants from the device register 2020-10-01 13:04:16 -04:00
input input: tsc2xxx fix. 2020-09-22 21:11:10 +01:00
intc hw/intc/arm_gicv3_cpuif: Make GIC maintenance interrupts work 2020-11-02 16:52:17 +00:00
ipack Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
ipmi Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
isa Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
kvm target/i386: always create kvmclock device 2020-09-30 19:11:36 +02:00
lm32
m68k Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
mem pc-dimm: Drop @errp argument of pc_dimm_plug() 2020-10-28 01:08:53 +11:00
mips hw/mips: Simplify code using ROUND_UP(INITRD_PAGE_SIZE) 2020-10-17 13:59:40 +02:00
misc target-arm queue: 2020-10-29 11:40:04 +00:00
net Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
nubus Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
nvram Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
pci pci: allocate pci id for nvme 2020-10-27 07:24:47 +01:00
pci-bridge Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
pci-host uninorth: use qdev gpios for PCI IRQs 2020-10-18 16:21:42 +01:00
ppc spapr: Improve spapr_reallocate_hpt() error reporting 2020-10-28 01:08:53 +11:00
rdma Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
riscv hw/riscv: Load the kernel after the firmware 2020-10-22 12:00:22 -07:00
rtc m48t59: remove legacy m48t59_init() function 2020-10-18 16:21:42 +01:00
rx Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
s390x s390x/pci: get zPCI function info from host 2020-11-01 12:30:52 -07:00
scsi scsi/scsi_bus: Add scsi_device_get 2020-10-12 11:50:51 -04:00
sd Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
semihosting semihosting: add qemu_semihosting_console_inc for SYS_READC 2020-01-09 11:41:29 +00:00
sh4 hw/sh4: Extract timer definitions to 'hw/timer/tmu012.h' 2020-06-22 18:37:12 +02:00
southbridge Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
sparc sparc32-espdma: use object_initialize_child() for esp child object 2020-10-28 07:59:25 +00:00
ssi Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
timer hw/timer/armv7m_systick: Rewrite to use ptimers 2020-10-27 11:15:31 +00:00
tricore Include hw/irq.h a lot less 2019-08-16 13:31:52 +02:00
unicore32
usb usb/xhci: add xhci_sysbus_build_aml() helper 2020-10-21 11:36:19 +02:00
vfio vfio: Add routine for finding VFIO_DEVICE_GET_INFO capabilities 2020-11-01 12:30:52 -07:00
virtio vhost-blk: set features before setting inflight feature 2020-10-30 06:48:53 -04:00
watchdog hw/watchdog: Implement SBSA watchdog device 2020-10-27 11:10:44 +00:00
xen xen-bus: reduce scope of backend watch 2020-10-19 16:32:41 +01:00
xtensa Include hw/irq.h a lot less 2019-08-16 13:31:52 +02:00
boards.h machine: remove deprecated -machine enforce-config-section option 2020-10-26 07:08:39 -04:00
clock.h hw/core/clock: provide the VMSTATE_ARRAY_CLOCK macro 2020-10-27 11:10:44 +00:00
elf_ops.h hw/elf_ops: Do not ignore write failures when loading ELF 2020-06-10 12:10:23 -04:00
fw-path-provider.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
hotplug.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
hw.h Include hw/hw.h exactly where needed 2019-08-16 13:31:52 +02:00
ide.h hw/ide: Move MAX_IDE_DEVS define to hw/ide/internal.h 2020-03-17 12:22:36 -04:00
irq.h include/hw/irq.h: New function qemu_irq_is_connected() 2020-08-03 17:55:03 +01:00
loader-fit.h
loader.h hw/core/loader: Let load_elf() populate a field with CPU-specific flags 2020-01-29 19:28:52 +01:00
nmi.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
or-irq.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
pcmcia.h Use OBJECT_DECLARE_TYPE when possible 2020-09-18 14:12:32 -04:00
platform-bus.h Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
ptimer.h ptimer: Remove old ptimer_init_with_bh() API 2019-11-11 13:44:16 +00:00
qdev-clock.h hw/qdev-clock: Avoid calling qdev_connect_clock_in after DeviceRealize 2020-08-28 10:02:46 +01:00
qdev-core.h Pull request trivial branch 20201027 2020-10-30 15:49:35 +00:00
qdev-dma.h
qdev-properties.h hw/core/qdev-properties: Export qdev_prop_enum 2020-10-06 11:09:35 -04:00
register.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
registerfields.h hw/registerfields: Prefix local variables with underscore in macros 2020-05-27 11:23:07 -07:00
resettable.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
stream.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
sysbus.h qom: Remove module_obj_name parameter from OBJECT_DECLARE* macros 2020-09-18 14:12:32 -04:00
usb.h Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
vmstate-if.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00