qemu/include
Philippe Mathieu-Daudé 4177b062fc hw/isa/lpc_ich9: Ignore reserved/invalid SCI IRQ
libFuzzer triggered the following assertion:

  cat << EOF | qemu-system-i386 -M pc-q35-5.0 \
    -nographic -monitor none -serial none \
    -qtest stdio -d guest_errors -trace pci\*
  outl 0xcf8 0x8400f841
  outl 0xcfc 0xebed205d
  outl 0x5d02 0xedf82049
  EOF
  pci_cfg_write ICH9-LPC 31:0 @0x41 <- 0xebed205d
  hw/pci/pci.c:268: int pci_bus_get_irq_level(PCIBus *, int): Assertion `irq_num < bus->nirq' failed.

This is because ich9_lpc_sci_irq() returns -1 for reserved
(illegal) values, but ich9_lpc_pmbase_sci_update() considers
it valid and store it in a 8-bit unsigned type. Then the 255
value is used as GSI IRQ, resulting in a PIRQ value of 247,
more than ICH9_LPC_NB_PIRQS (8).

Fix by simply ignoring the invalid access (and reporting it):

  pci_cfg_write ICH9-LPC 31:0 @0x41 <- 0xebed205d
  ICH9 LPC: SCI IRQ SEL #3 is reserved
  pci_cfg_read mch 00:0 @0x0 -> 0x8086
  pci_cfg_read mch 00:0 @0x0 -> 0x29c08086
  ...

Cc: qemu-stable@nongnu.org
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Fixes: 8f242cb724 ("ich9: implement SCI_IRQ_SEL register")
BugLink: https://bugs.launchpad.net/qemu/+bug/1878642
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20200717151705.18611-1-f4bug@amsat.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-11-03 09:42:53 -05:00
..
authz authz: Fix Lesser GPL version number 2020-10-29 09:57:37 +00:00
block nvme pull 2 Nov 2020 2020-11-02 17:17:29 +00:00
chardev chardev/spice: simplify chardev setup 2020-10-15 11:14:40 +02:00
crypto qom: Remove module_obj_name parameter from OBJECT_DECLARE* macros 2020-09-18 14:12:32 -04:00
disas disas: Split out capstone code to disas/capstone.c 2020-10-03 04:25:14 -05:00
exec linux-user: Set PAGE_TARGET_1 for TARGET_PROT_BTI 2020-10-27 10:44:02 +00:00
fpu softfloat: Define comparison operations for bfloat16 2020-08-29 19:25:42 -07:00
hw hw/isa/lpc_ich9: Ignore reserved/invalid SCI IRQ 2020-11-03 09:42:53 -05:00
io io: Fix Lesser GPL version number 2020-10-29 09:57:37 +00:00
libdecnumber include: Make headers more self-contained 2019-08-16 13:31:51 +02:00
migration migration: Drop unused VMSTATE_FLOAT64 support 2020-10-26 16:15:04 +00:00
monitor monitor: Make current monitor a per-coroutine property 2020-10-09 07:08:19 +02:00
net qom: fix objects with improper parent type 2020-10-12 11:50:22 -04:00
qapi qapi: Add QAPI_LIST_PREPEND() macro 2020-10-30 15:10:14 -05:00
qemu cutils: replace strdup with g_strdup 2020-11-03 09:42:52 -05:00
qom qom: Add user_creatable_print_help_from_qdict() 2020-10-15 16:06:27 +02:00
scsi scsi-generic: Fix HM-zoned device scan 2020-09-30 19:09:20 +02:00
standard-headers linux-headers: update against 5.10-rc1 2020-11-01 12:30:51 -07:00
sysemu Pull request trivial branch 20201027 2020-10-30 15:49:35 +00:00
tcg tcg: Do not kill globals at conditional branches 2020-10-27 09:48:07 -07:00
ui spice: wire up monitor in QemuSpiceOps. 2020-10-21 15:46:14 +02:00
user trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
elf.h target-arm queue: 2020-10-29 11:40:04 +00:00
glib-compat.h glib-compat: add g_unix_get_passwd_entry_qemu() 2020-11-02 19:52:08 -06:00
qemu-common.h vl: relocate paths to data directories 2020-09-30 19:11:36 +02:00
qemu-io.h Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
trace-tcg.h trace: get rid of generated-events.h/generated-events.c 2016-10-12 09:54:52 +02:00