qemu/hw/net/can
Peter Maydell 5e73953a27 hw/net/can/ctucan: Don't allow guest to write off end of tx_buffer
The ctucan device has 4 CAN bus cores, each of which has a set of 20
32-bit registers for writing the transmitted data. The registers are
however not contiguous; each core's buffers is 0x100 bytes after
the last.

We got the checks on the address wrong in the ctucan_mem_write()
function:
 * the first "is addr in range at all" check allowed
   addr == CTUCAN_CORE_MEM_SIZE, which is actually the first
   byte off the end of the range
 * the decode of addresses into core-number plus offset in the
   tx buffer for that core failed to check that the offset was
   in range, so the guest could write off the end of the
   tx_buffer[] array

NB: currently the values of CTUCAN_CORE_MEM_SIZE, CTUCAN_CORE_TXBUF_NUM,
etc, make "buff_num >= CTUCAN_CORE_TXBUF_NUM" impossible, but we
retain this as a runtime check rather than an assertion to permit
those values to be changed in future (in hardware they are
configurable synthesis parameters).

Fix the top level check, and check the offset is within the buffer.

Fixes: Coverity CID 1432874
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Pavel Pisa <pisa@cmp.felk.cvut.cz>
Tested-by: Pavel Pisa <pisa@cmp.felk.cvut.cz>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-11-11 20:34:36 +08:00
..
can_kvaser_pci.c Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
can_mioe3680_pci.c Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
can_pcm3680_pci.c Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
can_sja1000.c hw/net/can: sja1000 ignore CAN FD frames 2020-09-30 19:11:36 +02:00
can_sja1000.h hw/net/can: Make CanBusClientInfo::can_receive() return a boolean 2020-03-31 21:14:35 +08:00
ctu_can_fd_frame.h hw/net/can/ctucafd: Add CTU CAN FD core register definitions. 2020-09-30 19:11:37 +02:00
ctu_can_fd_regs.h hw/net/can/ctucafd: Add CTU CAN FD core register definitions. 2020-09-30 19:11:37 +02:00
ctucan_core.c hw/net/can/ctucan: Don't allow guest to write off end of tx_buffer 2020-11-11 20:34:36 +08:00
ctucan_core.h hw/net/can: CTU CAN FD IP open hardware core emulation. 2020-09-30 19:11:37 +02:00
ctucan_pci.c hw/net/can: CTU CAN FD IP open hardware core emulation. 2020-09-30 19:11:37 +02:00
meson.build hw/net/can: CTU CAN FD IP open hardware core emulation. 2020-09-30 19:11:37 +02:00