qemu/hw/timer
Akihiko Odaki 37d2bcbc2a hw/timer/hpet: Fix expiration time overflow
The expiration time provided for timer_mod() can overflow if a
ridiculously large value is set to the comparator register. The
resulting value can represent a past time after rounded, forcing the
timer to fire immediately. If the timer is configured as periodic, it
will rearm the timer again, and form an endless loop.

Check if the expiration value will overflow, and if it will, stop the
timer instead of rearming the timer with the overflowed time.

This bug was found by Alexander Bulekov when fuzzing igb, a new
network device emulation:
https://patchew.org/QEMU/20230129053316.1071513-1-alxndr@bu.edu/

The fixed test case is:
fuzz/crash_2d7036941dcda1ad4380bb8a9174ed0c949bcefd

Fixes: 16b29ae180 ("Add HPET emulation to qemu (Beth Kon)")
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20230131030037.18856-1-akihiko.odaki@daynix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2023-03-02 03:10:47 -05:00
..
a9gtimer.c
allwinner-a10-pit.c ptimer: Rename PTIMER_POLICY_DEFAULT to PTIMER_POLICY_LEGACY 2022-05-19 16:19:03 +01:00
altera_timer.c ptimer: Rename PTIMER_POLICY_DEFAULT to PTIMER_POLICY_LEGACY 2022-05-19 16:19:03 +01:00
arm_mptimer.c
arm_timer.c ptimer: Rename PTIMER_POLICY_DEFAULT to PTIMER_POLICY_LEGACY 2022-05-19 16:19:03 +01:00
armv7m_systick.c
aspeed_timer.c
avr_timer16.c
bcm2835_systmr.c
cadence_ttc.c
cmsdk-apb-dualtimer.c
cmsdk-apb-timer.c
digic-timer.c bulk: Rename TARGET_FMT_plx -> HWADDR_FMT_plx 2023-01-18 11:14:34 +01:00
etraxfs_timer.c bulk: Rename TARGET_FMT_plx -> HWADDR_FMT_plx 2023-01-18 11:14:34 +01:00
exynos4210_mct.c bulk: Rename TARGET_FMT_plx -> HWADDR_FMT_plx 2023-01-18 11:14:34 +01:00
exynos4210_pwm.c bulk: Rename TARGET_FMT_plx -> HWADDR_FMT_plx 2023-01-18 11:14:34 +01:00
grlib_gptimer.c ptimer: Rename PTIMER_POLICY_DEFAULT to PTIMER_POLICY_LEGACY 2022-05-19 16:19:03 +01:00
hpet.c hw/timer/hpet: Fix expiration time overflow 2023-03-02 03:10:47 -05:00
i8254_common.c
i8254.c
ibex_timer.c hw/intc: Move mtimer/mtimecmp to aclint 2022-09-07 09:19:10 +02:00
imx_epit.c hw/timer/imx_epit: fix compare timer handling 2023-01-05 12:14:43 +00:00
imx_gpt.c i.MX6UL: Add a specific GPT timer instance for the i.MX6UL 2023-01-05 15:02:08 +00:00
Kconfig
meson.build
mips_gictimer.c
mss-timer.c ptimer: Rename PTIMER_POLICY_DEFAULT to PTIMER_POLICY_LEGACY 2022-05-19 16:19:03 +01:00
npcm7xx_timer.c
nrf51_timer.c
omap_gptimer.c hw/arm/omap: Drop useless casts from void * to pointer 2023-01-12 17:15:09 +00:00
omap_synctimer.c hw/arm/omap: Drop useless casts from void * to pointer 2023-01-12 17:15:09 +00:00
pxa2xx_timer.c
renesas_cmt.c treewide: Remove the unnecessary space before semicolon 2022-10-24 13:41:10 +02:00
renesas_tmr.c treewide: Remove the unnecessary space before semicolon 2022-10-24 13:41:10 +02:00
sh_timer.c ptimer: Rename PTIMER_POLICY_DEFAULT to PTIMER_POLICY_LEGACY 2022-05-19 16:19:03 +01:00
sifive_pwm.c
slavio_timer.c ptimer: Rename PTIMER_POLICY_DEFAULT to PTIMER_POLICY_LEGACY 2022-05-19 16:19:03 +01:00
sse-counter.c
sse-timer.c Fix 'writeable' typos 2022-06-08 19:38:47 +01:00
stellaris-gptm.c
stm32f2xx_timer.c
trace-events
trace.h
xilinx_timer.c hw/timer/xilinx_timer: Use XpsTimerState instead of 'struct timerblock' 2023-01-12 17:15:09 +00:00