Go to file
David Gibson 4bc7b4d566 i6300esb: Fix signed integer overflow
If the guest programs a sufficiently large timeout value an integer
overflow can occur in i6300esb_restart_timer().  e.g. if the maximum
possible timer preload value of 0xfffff is programmed then we end up with
the calculation:

timeout = get_ticks_per_sec() * (0xfffff << 15) / 33000000;

get_ticks_per_sec() returns 1000000000 (10^9) giving:

     10^9 * (0xfffff * 2^15) == 0x1dcd632329b000000 (65 bits)

Obviously the division by 33MHz brings it back under 64-bits, but the
overflow has already occurred.

Since signed integer overflow has undefined behaviour in C, in theory this
could be arbitrarily bad.  In practice, the overflowed value wraps around
to something negative, causing the watchdog to immediately expire, killing
the guest, which is still fairly bad.

The bug can be triggered by running a Linux guest, loading the i6300esb
driver with parameter "heartbeat=2046" and opening /dev/watchdog.  The
watchdog will trigger as soon as the device is opened.

This patch corrects the problem by using muldiv64(), which effectively
allows a 128-bit intermediate value between the multiplication and
division.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Message-Id: <1427075508-12099-3-git-send-email-david@gibson.dropbear.id.au>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-03-25 13:38:05 +01:00
audio audio: Don't free hw resources until after hw backend is stopped 2014-12-22 23:12:25 +00:00
backends backends: Fix warning from Sparse 2015-03-19 11:11:55 +03:00
block Block patches for 2.3.0-rc1 2015-03-19 17:47:08 +00:00
bsd-user cpu: Make cpu_init() return QOM CPUState object 2015-03-10 17:33:51 +01:00
default-configs hw/usb: Include USB files only if necessary 2015-03-18 11:50:47 +01:00
disas cris: remove unused cris_cond15 declarations 2015-03-19 11:11:55 +03:00
docs docs: add memory-hotplug.txt 2015-03-04 13:00:36 -05:00
dtc@bc895d6d09
fpu softfloat: expand out STATUS macro 2015-02-06 16:11:38 +00:00
fsdev Fix typos in comments 2015-03-19 11:30:37 +03:00
gdb-xml s390x/gdb: add the feature xml files for s390x 2014-09-01 09:45:19 +02:00
hw i6300esb: Fix signed integer overflow 2015-03-25 13:38:05 +01:00
include NUMA queue 2015-03-19 2015-03-20 10:37:03 +00:00
libcacard libcacard: stop linking against every single 3rd party library 2015-02-10 09:27:20 +03:00
libdecnumber libdecnumber: Fix warnings from smatch (missing static, boolean operations) 2014-08-24 13:21:06 +04:00
linux-headers synchronize Linux headers to 4.0-rc3 2015-03-10 09:26:22 +01:00
linux-user linux-user: fix broken cpu_copy() 2015-03-23 15:26:42 +02:00
migration migration: Expose 'cancelling' status to user 2015-03-17 15:20:37 +01:00
net net: synchronize net_host_device_remove with host_net_remove_completion 2015-03-12 19:59:39 +00:00
pc-bios seabios: update to 1.8.1 stable release 2015-03-16 09:07:15 +01:00
pixman@87eea99e44 pixman: update internal copy to pixman-0.32.6 2014-09-15 08:14:19 +02:00
po po: fix conflict with %.mo rule in rules.mak 2014-09-26 13:35:08 +02:00
qapi block: Fix blockdev-backup not to use funky error class 2015-03-19 16:02:59 +01:00
qga qga/commands-posix: Fix resource leak 2015-03-19 11:39:18 +03:00
qobject qjson: Drop trailing space for pretty formatting 2014-12-10 10:25:30 +01:00
qom qom: Fix warning from Sparse 2015-03-19 11:11:55 +03:00
roms seabios: update to 1.8.1 stable release 2015-03-16 09:07:15 +01:00
scripts build: pass .d file name to scripts/make_device_config.sh, fix makefile target 2015-03-18 12:07:25 +01:00
slirp slirp: udp: fix NULL pointer dereference because of uninitialized socket 2014-09-23 19:15:05 +01:00
stubs pci, pc, virtio fixes and cleanups 2015-03-09 09:14:28 +00:00
sysconfigs/target
target-alpha tcg: Change translator-side labels to a pointer 2015-03-13 12:28:18 -07:00
target-arm target-arm: Ignore low bit of PC in M-profile exception return 2015-03-16 12:30:47 +00:00
target-cris cris: remove unused cris_cond15 declarations 2015-03-19 11:11:55 +03:00
target-i386 target-i386: Haswell-noTSX and Broadwell-noTSX 2015-03-19 16:35:14 -03:00
target-lm32 tcg: Change translator-side labels to a pointer 2015-03-13 12:28:18 -07:00
target-m68k tcg: Change translator-side labels to a pointer 2015-03-13 12:28:18 -07:00
target-microblaze tcg: Change translator-side labels to a pointer 2015-03-13 12:28:18 -07:00
target-mips trivial patches for 2015-03-19 2015-03-19 14:10:20 +00:00
target-moxie target-moxie: Fix warnings from Sparse (one-bit signed bitfield) 2015-03-19 11:11:55 +03:00
target-openrisc tcg: Change translator-side labels to a pointer 2015-03-13 12:28:18 -07:00
target-ppc tcg: Change translator-side labels to a pointer 2015-03-13 12:28:18 -07:00
target-s390x Final batch of s390x enhancements/fixes for 2.3: 2015-03-16 11:44:55 +00:00
target-sh4 tcg: Change translator-side labels to a pointer 2015-03-13 12:28:18 -07:00
target-sparc tcg: Change translator-side labels to a pointer 2015-03-13 12:28:18 -07:00
target-tricore target-tricore: properly fix dvinit_b/h_13 2015-03-24 09:45:28 +01:00
target-unicore32 tcg: Change translator-side labels to a pointer 2015-03-13 12:28:18 -07:00
target-xtensa tcg: Change translator-side labels to a pointer 2015-03-13 12:28:18 -07:00
tcg tcg/optimize: Handle or r,a,a with constant a 2015-03-16 08:46:13 -07:00
tests rcu tests: fix compilation on 32-bit ppc 2015-03-25 13:37:10 +01:00
trace Remove superfluous '\n' around error_report() 2015-03-10 08:15:33 +03:00
ui ui: ensure VNC websockets server checks the ACL if requested 2015-03-18 09:25:14 +01:00
util util/uri: Add overflow check to rfc3986_parse_port 2015-03-18 12:05:31 +01:00
.exrc
.gitignore gitignore: Track common.env in iotests gitignore 2015-03-10 08:15:34 +03:00
.gitmodules PPC: Add u-boot firmware for e500 2014-06-16 13:24:35 +02:00
.mailmap
.travis.yml .travis.yml: Add "--enable-modules" 2015-01-26 12:27:05 +01:00
accel.c accel: Create accel object when initializing machine 2014-10-09 15:36:14 +02:00
aio-posix.c block: Use g_new0() for a bit of extra type checking 2014-12-10 10:31:21 +01:00
aio-win32.c block: Use g_new0() for a bit of extra type checking 2014-12-10 10:31:21 +01:00
arch_init.c arch_init: Count the total number of pages by using helper function 2015-03-17 15:20:37 +01:00
async.c block: replace g_new0 with g_new for bottom half allocation. 2015-01-13 11:47:56 +00:00
balloon.c balloon: Fix typo 2015-02-23 10:56:09 -05:00
block.c block: Drop bdrv_find 2015-03-16 12:10:30 -04:00
blockdev-nbd.c nbd: Handle blk_getlength() failure 2015-03-18 12:06:50 +01:00
blockdev.c block: Fix blockdev-backup not to use funky error class 2015-03-19 16:02:59 +01:00
blockjob.c block: declare blockjobs and dataplane friends! 2014-11-03 11:41:49 +00:00
bootdevice.c bootdevice: bug fixes 2015-03-08 06:43:32 +00:00
bt-host.c
bt-vhci.c
Changelog
CODING_STYLE CODING_STYLE: Section about conditional statement 2014-08-15 18:54:06 +04:00
configure configure: enable kvm on x32 2015-03-19 11:17:27 +03:00
COPYING
COPYING.LIB
coroutine-gthread.c glib-compat.h: add new thread API emulation on top of pre-2.31 API 2014-06-10 07:44:01 +02:00
coroutine-sigaltstack.c coroutine-sigaltstack: Change jmp_buf to sigjmp_buf 2014-11-11 11:07:55 +03:00
coroutine-ucontext.c coroutine-ucontext: use __thread 2015-01-13 13:43:28 +00:00
coroutine-win32.c coroutine-win32.c: Add noinline attribute to work around gcc bug 2014-06-26 14:08:14 +01:00
cpu-exec.c - vhost-scsi: add bootindex property 2015-02-24 13:58:18 +00:00
cpus.c profiler: Reenable built-in profiler 2015-03-18 12:07:34 +01:00
cputlb.c exec: RCUify AddressSpaceDispatch 2015-02-16 17:30:19 +01:00
device_tree.c machine: query phandle-start machine property 2015-03-11 18:17:11 +01:00
device-hotplug.c pci-hotplug-old: Has been dead for five major releases, bury 2015-03-01 12:37:54 +01:00
disas.c monitor: QEMU Monitor Instruction Disassembly Incorrect for PowerPC LE Mode 2014-06-16 13:24:26 +02:00
dma-helpers.c hw: Convert from BlockDriverState to BlockBackend, mostly 2014-10-20 14:02:25 +02:00
dump.c dump: Fix dump-guest-memory termination and use-after-close 2014-11-02 10:04:34 +03:00
exec.c exec: Respect as_tranlsate_internal length clamp 2015-03-18 12:09:42 +01:00
gdbstub.c gdbstub: avoid possible NULL pointer dereference 2015-03-10 08:15:34 +03:00
HACKING
hmp-commands.hx hmp: Fix texinfo documentation 2015-03-19 11:35:52 +03:00
hmp.c migration/next for 20150317 2015-03-17 17:11:33 +00:00
hmp.h qom: Implement qom-set HMP command 2015-03-17 14:31:15 +01:00
iohandler.c iohandler.c: Properly initialize sigaction struct 2014-05-24 00:07:29 +04:00
ioport.c memory: convert memory_region_destroy to object_unparent 2014-08-18 12:06:20 +02:00
iothread.c async: aio_context_new(): Handle event_notifier_init failure 2014-09-22 11:39:48 +01:00
kvm-all.c kvm: fix ioeventfd endianness on bi-endian architectures 2015-03-18 12:07:30 +01:00
kvm-stub.c pc: kvm: check if KVM has free memory slots to avoid abort() 2014-11-23 12:11:29 +02:00
LICENSE vfio: move hw/misc/vfio.c to hw/vfio/pci.c Move vfio.h into include/hw/vfio 2014-12-19 15:24:06 -07:00
main-loop.c Revert "main-loop.c: Handle SIGINT, SIGHUP and SIGTERM synchronously" 2014-10-27 15:05:09 +00:00
MAINTAINERS misc fixes and cleanups 2015-03-12 09:13:07 +00:00
Makefile build: pass .d file name to scripts/make_device_config.sh, fix makefile target 2015-03-18 12:07:25 +01:00
Makefile.objs QJSON: Add JSON writer 2015-02-05 17:16:14 +01:00
Makefile.target Makefile.target: binary depends on config-devices 2015-03-01 19:41:50 +01:00
memory_mapping.c Add skip_dump flag to ignore memory region during dump 2014-10-31 11:29:01 +01:00
memory.c memory: Move owner-less MemoryRegions to /machine/unattached 2015-03-17 14:31:26 +01:00
module-common.c
monitor.c usb: bugfix collection. 2015-03-20 09:50:08 +00:00
nbd.c nbd: Drop unexpected data for NBD_OPT_LIST 2015-03-18 12:07:16 +01:00
numa.c numa: Print warning if no node is assigned to a CPU 2015-03-19 16:20:15 -03:00
os-posix.c os-posix: reorder parent notification for -daemonize 2014-11-02 10:04:34 +03:00
os-win32.c pidfile: stop making pidfile error a special case 2014-11-02 10:04:34 +03:00
page_cache.c xbzrle: rebuild the cache_is_cached function 2015-01-15 17:49:43 +05:30
qapi-schema.json migration: Convert 'status' of MigrationInfo to use an enum type 2015-03-17 15:20:37 +01:00
qdev-monitor.c qom: Implement info qom-tree HMP command 2015-03-17 14:31:21 +01:00
qdict-test-data.txt
qemu-bridge-helper.c qemu-bridge-helper: Fix fd leak in main() 2014-06-27 10:39:10 +02:00
qemu-char.c qemu-img: Suppress unhelpful extra errors in convert, amend 2015-02-26 14:51:21 +01:00
qemu-coroutine-io.c coroutine-io: Return -errno in case of error 2015-03-18 12:07:21 +01:00
qemu-coroutine-lock.c
qemu-coroutine-sleep.c coroutine: Drop co_sleep_ns 2014-08-29 10:46:58 +01:00
qemu-coroutine.c coroutine: Clean up qemu_coroutine_enter() 2015-03-09 11:11:59 +01:00
qemu-doc.texi raw-posix: Deprecate host floppy passthrough 2015-03-19 11:43:02 +01:00
qemu-img-cmds.hx qemu-img: Add progress output for amend 2014-11-03 11:41:48 +00:00
qemu-img.c qemu-img: Avoid qerror_report_err() outside QMP handlers, again 2015-03-16 17:07:25 +01:00
qemu-img.texi qemu-img: Add progress output for amend 2014-11-03 11:41:48 +00:00
qemu-io-cmds.c qemu-io: Use BlockBackend 2015-02-16 15:07:19 +00:00
qemu-io.c Clean up around error_get_pretty(), qerror_report_err() 2015-02-26 07:01:08 +00:00
qemu-log.c qemu-log: Correct help text of 'log cpu_reset' 2015-02-10 09:27:20 +03:00
qemu-nbd.c nbd: Set block size to BDRV_SECTOR_SIZE 2015-03-18 12:07:01 +01:00
qemu-nbd.texi nbd: Miscellaneous typo fixes. 2014-05-24 00:07:29 +04:00
qemu-options-wrapper.h
qemu-options.h
qemu-options.hx Block patches for 2.3.0-rc1 2015-03-19 17:47:08 +00:00
qemu-seccomp.c seccomp: add mlockall to whitelist 2015-01-23 14:07:08 +01:00
qemu-tech.texi
qemu-timer.c qemu-timer.c: Trim list of included headers 2015-01-26 18:15:54 +00:00
qemu.nsi
qemu.sasl sasl: Avoid 'Could not find keytab file' in syslog 2014-03-15 13:54:18 +04:00
qjson.c QJSON: fix typo in author's email address 2015-02-10 09:27:20 +03:00
qmp-commands.hx Block patches for 2.3.0-rc1 2015-03-19 17:47:08 +00:00
qmp.c vnc: set id at parse time not init time 2015-03-10 11:33:35 +01:00
qtest.c qtest: Use qemu_opt_set() instead of qemu_opts_parse() 2015-02-26 14:52:13 +01:00
README
rules.mak rules.mak: Fix module build 2015-01-14 10:38:57 +01:00
savevm.c error: Replace error_report() & error_free() with error_report_err() 2015-03-19 11:11:55 +03:00
softmmu_template.h exec: make iotlb RCU-friendly 2015-02-16 17:30:19 +01:00
spice-qemu-char.c spice: Add missing 'static' attribute 2015-02-10 10:26:05 +03:00
tcg-runtime.c tcg: Push tcg-runtime routines into exec/helper-* 2014-05-28 09:33:54 -07:00
tci.c tcg: Remove unused opcodes 2015-02-12 21:21:38 -08:00
thread-pool.c block: Rename BlockDriverCompletionFunc to BlockCompletionFunc 2014-10-20 13:41:27 +02:00
thunk.c
tpm.c tpm: Remove superfluous '\n' around error_report() 2015-03-10 08:15:33 +03:00
trace-events s390x/kvm: trace all SIGP orders 2015-03-10 09:26:22 +01:00
translate-all.c translate-all: Use g_try_malloc() for dynamic translator buffer 2015-02-10 09:27:21 +03:00
translate-all.h translate-all: Change tb_check_watchpoint() argument to CPUState 2014-03-13 19:20:48 +01:00
user-exec.c user-exec.c: fix build on NetBSD/sparc64 and NetBSD/arm 2015-03-13 15:57:00 +00:00
VERSION Update version for v2.3.0-rc0 release 2015-03-17 18:58:33 +00:00
version.rc
vl.c numa: introduce machine callback for VCPU to node mapping 2015-03-19 16:12:09 -03:00
xen-common-stub.c accel: Move Xen registration code to xen-common.c 2014-10-04 08:59:15 +02:00
xen-common.c accel: Pass MachineState object to accel init functions 2014-10-09 12:57:10 +02:00
xen-hvm-stub.c xen: Remove xen_cmos_set_s3_resume() 2015-03-10 08:15:33 +03:00
xen-hvm.c Xen: Use the ioreq-server API when available 2015-01-20 14:24:10 +00:00
xen-mapcache.c xen: add a lock for the mapcache 2015-01-20 14:24:17 +00:00

Read the documentation in qemu-doc.html or on http://wiki.qemu-project.org

- QEMU team