qemu/hw
Peter Maydell 5e73953a27 hw/net/can/ctucan: Don't allow guest to write off end of tx_buffer
The ctucan device has 4 CAN bus cores, each of which has a set of 20
32-bit registers for writing the transmitted data. The registers are
however not contiguous; each core's buffers is 0x100 bytes after
the last.

We got the checks on the address wrong in the ctucan_mem_write()
function:
 * the first "is addr in range at all" check allowed
   addr == CTUCAN_CORE_MEM_SIZE, which is actually the first
   byte off the end of the range
 * the decode of addresses into core-number plus offset in the
   tx buffer for that core failed to check that the offset was
   in range, so the guest could write off the end of the
   tx_buffer[] array

NB: currently the values of CTUCAN_CORE_MEM_SIZE, CTUCAN_CORE_TXBUF_NUM,
etc, make "buff_num >= CTUCAN_CORE_TXBUF_NUM" impossible, but we
retain this as a runtime check rather than an assertion to permit
those values to be changed in future (in hardware they are
configurable synthesis parameters).

Fix the top level check, and check the offset is within the buffer.

Fixes: Coverity CID 1432874
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Pavel Pisa <pisa@cmp.felk.cvut.cz>
Tested-by: Pavel Pisa <pisa@cmp.felk.cvut.cz>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-11-11 20:34:36 +08:00
..
9pfs hw/9pfs: Fix Kconfig dependency problem between 9pfs and Xen 2020-11-05 15:21:11 +01:00
acpi hw/acpi : add spaces around operator 2020-11-03 07:19:27 -05:00
adc meson: convert hw/adc 2020-08-21 06:30:32 -04:00
alpha load_elf: Remove unused address variables from callers 2020-09-25 16:52:08 -07:00
arm hw/arm/nseries: Check return value from load_image_targphys() 2020-11-10 11:03:48 +00:00
audio Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
avr Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
block hw/block/nvme: fix free of array-typed value 2020-11-09 15:44:21 +01:00
char hw/char/pl011: add a clock input 2020-10-27 11:10:44 +00:00
core hw/mips/boston: Fix Lesser GPL version number 2020-11-03 16:51:13 +01:00
cpu cpu/core: Register core-id and nr-threads as class properties 2020-09-22 16:48:29 -04:00
cris load_elf: Remove unused address variables from callers 2020-09-25 16:52:08 -07:00
display ati: check x y display parameter values 2020-11-04 08:25:17 +01:00
dma sparc32-ledma: don't reference nd_table directly within the device 2020-10-28 07:59:25 +00:00
gpio hw/gpio: Add GPIO model for Nuvoton NPCM7xx 2020-10-27 11:10:32 +00:00
hppa Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
hyperv qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
i2c microbit_i2c: Fix coredump when dump-vmstate 2020-10-20 16:12:00 +01:00
i386 pc: comment style fixup 2020-11-03 07:19:26 -05:00
ide xen: rework pci_piix3_xen_ide_unplug 2020-11-02 11:56:55 +00:00
input Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
intc hw/intc/ibex_plic: Clear the claim register when read 2020-11-09 15:09:53 -08:00
ipack Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
ipmi Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
isa hw/isa/lpc_ich9: Ignore reserved/invalid SCI IRQ 2020-11-03 09:42:53 -05:00
lm32 hw/sd/milkymist: Do not create SD card within the SD host controller 2020-08-21 16:22:43 +02:00
m68k Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
mem memory-device: Add get_min_alignment() callback 2020-11-03 07:19:26 -05:00
microblaze load_elf: Remove unused address variables from callers 2020-09-25 16:52:08 -07:00
mips hw/mips/boston: Fix memory leak in boston_fdt_filter() error-handling paths 2020-11-09 00:40:44 +01:00
misc hw/misc/stm32f2xx_syscfg: Remove extraneous IRQ 2020-11-10 11:03:48 +00:00
moxie load_elf: Remove unused address variables from callers 2020-09-25 16:52:08 -07:00
net hw/net/can/ctucan: Don't allow guest to write off end of tx_buffer 2020-11-11 20:34:36 +08:00
nios2 load_elf: Remove unused address variables from callers 2020-09-25 16:52:08 -07:00
nubus meson: convert hw/nubus 2020-08-21 06:30:25 -04:00
nvram hw/nvram: Always register FW_CFG_DATA_GENERATOR_INTERFACE 2020-10-12 11:50:20 -04:00
openrisc meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
pci pci: Disallow improper BAR registration for type 1 2020-10-30 06:48:53 -04:00
pci-bridge Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
pci-host hw/mips/boston: Fix Lesser GPL version number 2020-11-03 16:51:13 +01:00
pcmcia pxa2xx: Move QOM macros to header 2020-08-27 14:04:55 -04:00
ppc spapr: Convert hpt_prepare_thread() to use qemu_try_memalign() 2020-11-05 12:18:48 +11:00
rdma qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
riscv hw/riscv: microchip_pfsoc: Hook the I2C1 controller 2020-11-03 07:17:23 -08:00
rtc m48t59: remove legacy m48t59_init() function 2020-10-18 16:21:42 +01:00
rx hw/rx/rx-gdbsim: Fix memory leak (CID 1432307) 2020-11-09 00:53:07 +01:00
s390x s390x: Avoid variable size warning in ipl.h 2020-11-10 08:51:30 +01:00
scsi scsi/scsi_bus: fix races in REPORT LUNS 2020-10-12 11:50:51 -04:00
sd hw/sd/sdcard: Zero out function selection fields before being populated 2020-10-26 09:23:47 +01:00
semihosting meson: convert hw/semihosting 2020-08-21 06:30:25 -04:00
sh4 Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
smbios hw/smbios: Fix leaked fd in save_opt_one() error path 2020-11-03 07:19:27 -05:00
sparc sparc32-ledma: don't reference nd_table directly within the device 2020-10-28 07:59:25 +00:00
sparc64 sabre: don't call sysbus_mmio_map() in sabre_realize() 2020-10-28 07:59:25 +00:00
ssi ssi: Fix bad printf format specifiers 2020-11-10 11:03:47 +00:00
timer target-arm queue: 2020-10-29 11:40:04 +00:00
tpm Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
tricore meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
unicore32 meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
usb dev-serial: store flow control and xon/xoff characters 2020-11-04 07:22:37 +01:00
vfio vfio: Don't issue full 2^64 unmap 2020-11-03 16:39:05 -05:00
virtio vhost-blk: set features before setting inflight feature 2020-11-03 16:39:05 -05:00
watchdog hw/watchdog: Implement SBSA watchdog device 2020-10-27 11:10:44 +00:00
xen xen-bus: reduce scope of backend watch 2020-10-19 16:32:41 +01:00
xenpv meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
xtensa load_elf: Remove unused address variables from callers 2020-09-25 16:52:08 -07:00
Kconfig hw/avr: Add limited support for some Arduino boards 2020-07-11 11:02:05 +02:00
meson.build meson: convert hw/arch* 2020-08-21 06:30:33 -04:00