qemu/hw
David Gibson 4bc7b4d566 i6300esb: Fix signed integer overflow
If the guest programs a sufficiently large timeout value an integer
overflow can occur in i6300esb_restart_timer().  e.g. if the maximum
possible timer preload value of 0xfffff is programmed then we end up with
the calculation:

timeout = get_ticks_per_sec() * (0xfffff << 15) / 33000000;

get_ticks_per_sec() returns 1000000000 (10^9) giving:

     10^9 * (0xfffff * 2^15) == 0x1dcd632329b000000 (65 bits)

Obviously the division by 33MHz brings it back under 64-bits, but the
overflow has already occurred.

Since signed integer overflow has undefined behaviour in C, in theory this
could be arbitrarily bad.  In practice, the overflowed value wraps around
to something negative, causing the watchdog to immediately expire, killing
the guest, which is still fairly bad.

The bug can be triggered by running a Linux guest, loading the i6300esb
driver with parameter "heartbeat=2046" and opening /dev/watchdog.  The
watchdog will trigger as soon as the device is opened.

This patch corrects the problem by using muldiv64(), which effectively
allows a 128-bit intermediate value between the multiplication and
division.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Message-Id: <1427075508-12099-3-git-send-email-david@gibson.dropbear.id.au>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-03-25 13:38:05 +01:00
..
9pfs 9pfs: Fix warnings from Sparse 2015-03-19 11:11:55 +03:00
acpi acpi: specify format for build_append_namestring 2015-03-11 18:24:29 +01:00
alpha QOM infrastructure fixes and device conversions 2015-03-02 13:20:43 +00:00
arm error: Replace error_report() & error_free() with error_report_err() 2015-03-19 11:11:55 +03:00
audio pci: Trivial device model conversions to realize 2015-02-26 12:42:16 +01:00
block - scsi: improvements to error reporting and conversion to realize, 2015-03-10 18:03:02 +00:00
bt l2cap: fix access to freed memory 2014-08-15 19:12:48 +04:00
char virtio-serial api: guest_writable callback for users 2015-03-19 16:46:32 +00:00
core elf-loader: Fix truncation warning from coverity 2015-03-19 11:36:52 +03:00
cpu icc_bus: fix typo ICC_BRIGDE -> ICC_BRIDGE 2014-11-03 19:51:56 +03:00
cris hw: Convert from BlockDriverState to BlockBackend, mostly 2014-10-20 14:02:25 +02:00
display Fix remaining warnings from Sparse (void return) 2015-03-19 11:11:55 +03:00
dma omap: Fix warnings from Sparse 2015-03-19 11:11:55 +03:00
gpio omap: Fix warnings from Sparse 2015-03-19 11:11:55 +03:00
i2c pci: Trivial device model conversions to realize 2015-02-26 12:42:16 +01:00
i386 fw_cfg: factor out initialization of FW_CFG_ID (rev. number) 2015-03-25 13:37:10 +01:00
ide ahci: Fix sglist offset manipulation for BE machines 2015-03-23 12:24:16 -04:00
input adb.c: include ADBDevice parent state in KBDState and MouseState 2015-03-09 15:00:04 +01:00
intc Fix remaining warnings from Sparse (void return) 2015-03-19 11:11:55 +03:00
ipack pci: Trivial device model conversions to realize 2015-02-26 12:42:16 +01:00
isa acpi, ich9: Add unplug cb for ich9. 2015-02-26 12:42:18 +01:00
lm32 configure: opengl overhaul 2015-03-12 15:49:57 +01:00
m68k m68k: Use cpu_m68k_init() 2015-03-10 17:07:28 +01:00
mem pc-dimm: Add description for device list. 2015-03-19 11:17:36 +03:00
microblaze Remove superfluous '\n' around error_report() 2015-03-10 08:15:33 +03:00
mips QOM infrastructure fixes and device conversions 2015-03-02 13:20:43 +00:00
misc omap: Fix warnings from Sparse 2015-03-19 11:11:55 +03:00
moxie memory: add parameter errp to memory_region_init_ram 2014-09-09 13:41:43 +02:00
net fix GCC 5.0.0 logical-not-parentheses warnings 2015-03-10 08:15:34 +03:00
nvram fw_cfg: factor out initialization of FW_CFG_ID (rev. number) 2015-03-25 13:37:10 +01:00
openrisc hw/core/loader: implement address translation in uimage loader 2014-11-03 00:59:10 +03:00
pci pcie_aer: fix comment to match pcie spec 2015-03-18 12:48:21 +01:00
pci-bridge pci, pc, virtio fixes and cleanups 2015-03-09 09:14:28 +00:00
pci-host machine: replace qemu opts with iommu property 2015-03-11 18:10:43 +01:00
pcmcia hmp: Remove "info pcmcia" 2014-10-24 12:19:11 +01:00
ppc fw_cfg: factor out initialization of FW_CFG_ID (rev. number) 2015-03-25 13:37:10 +01:00
s390x s390x/pci: fix length in sei_nt2 event 2015-03-16 10:20:17 +01:00
scsi virtio-scsi-dataplane: fix memory leak in virtio_scsi_vring_init 2015-03-18 12:08:52 +01:00
sd omap: Fix warnings from Sparse 2015-03-19 11:11:55 +03:00
sh4 r2d: Don't use legacy -usbdevice support for setting up board 2015-02-18 10:53:10 +01:00
sparc fw_cfg: factor out initialization of FW_CFG_ID (rev. number) 2015-03-25 13:37:10 +01:00
sparc64 fw_cfg: factor out initialization of FW_CFG_ID (rev. number) 2015-03-25 13:37:10 +01:00
ssi omap: Fix warnings from Sparse 2015-03-19 11:11:55 +03:00
timer Fix remaining warnings from Sparse (void return) 2015-03-19 11:11:55 +03:00
tpm Fix remaining warnings from Sparse (void return) 2015-03-19 11:11:55 +03:00
tricore target-tricore: check return value before using it 2014-11-02 10:04:34 +03:00
unicore32 unicore32: Use uc32_cpu_init() 2015-03-10 17:07:28 +01:00
usb usb: bugfix collection. 2015-03-20 09:50:08 +00:00
vfio vfio: Remove superfluous '\n' around error_report() 2015-03-10 08:15:33 +03:00
virtio virtio: validate the existence of handle_output before calling it 2015-03-16 15:29:51 +01:00
watchdog i6300esb: Fix signed integer overflow 2015-03-25 13:38:05 +01:00
xen xen-pt: fix Out-of-bounds read 2015-03-10 08:15:33 +03:00
xenpv hw: Convert from BlockDriverState to BlockBackend, mostly 2014-10-20 14:02:25 +02:00
xtensa xtensa: Remove superfluous '\n' around error_report() 2015-03-10 08:15:33 +03:00
Makefile.objs vfio: move hw/misc/vfio.c to hw/vfio/pci.c Move vfio.h into include/hw/vfio 2014-12-19 15:24:06 -07:00