87511bb878
ASan detected a global-buffer-overflow error in the aspeed_gpio_read()
function. This issue occurred when reading beyond the bounds of the
reg_table.
To enhance the safety and maintainability of the Aspeed GPIO code, this commit
introduces a reg_table_count member to the AspeedGPIOClass structure. This
change ensures that the size of the GPIO register table is explicitly tracked
and initialized, reducing the risk of errors if new register tables are
introduced in the future.
Reproducer:
cat << EOF | qemu-system-aarch64 -display none \
-machine accel=qtest, -m 512M -machine ast1030-evb -qtest stdio
readq 0x7e780272
EOF
ASAN log indicating the issue:
==2602930==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55a5da29e128 at pc 0x55a5d700dc62 bp 0x7fff096c4e90 sp 0x7fff096c4e88
READ of size 2 at 0x55a5da29e128 thread T0
#0 0x55a5d700dc61 in aspeed_gpio_read hw/gpio/aspeed_gpio.c:564:14
#1 0x55a5d933f3ab in memory_region_read_accessor system/memory.c:445:11
#2 0x55a5d92fba40 in access_with_adjusted_size system/memory.c:573:18
#3 0x55a5d92f842c in memory_region_dispatch_read1 system/memory.c:1426:16
#4 0x55a5d92f7b68 in memory_region_dispatch_read system/memory.c:1459:9
#5 0x55a5d9376ad1 in flatview_read_continue_step system/physmem.c:2836:18
#6 0x55a5d9376399 in flatview_read_continue system/physmem.c:2877:19
#7 0x55a5d93775b8 in flatview_read system/physmem.c:2907:12
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2355
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Andrew Jeffery <andrew@codeconstruct.com.au>
112 lines
2.7 KiB
C
112 lines
2.7 KiB
C
/*
|
|
* ASPEED GPIO Controller
|
|
*
|
|
* Copyright (C) 2017-2018 IBM Corp.
|
|
*
|
|
* This code is licensed under the GPL version 2 or later. See
|
|
* the COPYING file in the top-level directory.
|
|
*/
|
|
|
|
#ifndef ASPEED_GPIO_H
|
|
#define ASPEED_GPIO_H
|
|
|
|
#include "hw/sysbus.h"
|
|
#include "qom/object.h"
|
|
|
|
#define TYPE_ASPEED_GPIO "aspeed.gpio"
|
|
OBJECT_DECLARE_TYPE(AspeedGPIOState, AspeedGPIOClass, ASPEED_GPIO)
|
|
|
|
#define ASPEED_GPIO_MAX_NR_SETS 8
|
|
#define ASPEED_GPIOS_PER_SET 32
|
|
#define ASPEED_REGS_PER_BANK 14
|
|
#define ASPEED_GPIO_MAX_NR_REGS (ASPEED_REGS_PER_BANK * ASPEED_GPIO_MAX_NR_SETS)
|
|
#define ASPEED_GROUPS_PER_SET 4
|
|
#define ASPEED_GPIO_NR_DEBOUNCE_REGS 3
|
|
#define ASPEED_CHARS_PER_GROUP_LABEL 4
|
|
|
|
typedef struct GPIOSets GPIOSets;
|
|
|
|
typedef struct GPIOSetProperties {
|
|
uint32_t input;
|
|
uint32_t output;
|
|
char group_label[ASPEED_GROUPS_PER_SET][ASPEED_CHARS_PER_GROUP_LABEL];
|
|
} GPIOSetProperties;
|
|
|
|
enum GPIORegType {
|
|
gpio_not_a_reg,
|
|
gpio_reg_data_value,
|
|
gpio_reg_direction,
|
|
gpio_reg_int_enable,
|
|
gpio_reg_int_sens_0,
|
|
gpio_reg_int_sens_1,
|
|
gpio_reg_int_sens_2,
|
|
gpio_reg_int_status,
|
|
gpio_reg_reset_tolerant,
|
|
gpio_reg_debounce_1,
|
|
gpio_reg_debounce_2,
|
|
gpio_reg_cmd_source_0,
|
|
gpio_reg_cmd_source_1,
|
|
gpio_reg_data_read,
|
|
gpio_reg_input_mask,
|
|
};
|
|
|
|
/* GPIO index mode */
|
|
enum GPIORegIndexType {
|
|
gpio_reg_idx_data = 0,
|
|
gpio_reg_idx_direction,
|
|
gpio_reg_idx_interrupt,
|
|
gpio_reg_idx_debounce,
|
|
gpio_reg_idx_tolerance,
|
|
gpio_reg_idx_cmd_src,
|
|
gpio_reg_idx_input_mask,
|
|
gpio_reg_idx_reserved,
|
|
gpio_reg_idx_new_w_cmd_src,
|
|
gpio_reg_idx_new_r_cmd_src,
|
|
};
|
|
|
|
typedef struct AspeedGPIOReg {
|
|
uint16_t set_idx;
|
|
enum GPIORegType type;
|
|
} AspeedGPIOReg;
|
|
|
|
struct AspeedGPIOClass {
|
|
SysBusDevice parent_obj;
|
|
const GPIOSetProperties *props;
|
|
uint32_t nr_gpio_pins;
|
|
uint32_t nr_gpio_sets;
|
|
const AspeedGPIOReg *reg_table;
|
|
unsigned reg_table_count;
|
|
};
|
|
|
|
struct AspeedGPIOState {
|
|
/* <private> */
|
|
SysBusDevice parent;
|
|
|
|
/*< public >*/
|
|
MemoryRegion iomem;
|
|
int pending;
|
|
qemu_irq irq;
|
|
qemu_irq gpios[ASPEED_GPIO_MAX_NR_SETS][ASPEED_GPIOS_PER_SET];
|
|
|
|
/* Parallel GPIO Registers */
|
|
uint32_t debounce_regs[ASPEED_GPIO_NR_DEBOUNCE_REGS];
|
|
struct GPIOSets {
|
|
uint32_t data_value; /* Reflects pin values */
|
|
uint32_t data_read; /* Contains last value written to data value */
|
|
uint32_t direction;
|
|
uint32_t int_enable;
|
|
uint32_t int_sens_0;
|
|
uint32_t int_sens_1;
|
|
uint32_t int_sens_2;
|
|
uint32_t int_status;
|
|
uint32_t reset_tol;
|
|
uint32_t cmd_source_0;
|
|
uint32_t cmd_source_1;
|
|
uint32_t debounce_1;
|
|
uint32_t debounce_2;
|
|
uint32_t input_mask;
|
|
} sets[ASPEED_GPIO_MAX_NR_SETS];
|
|
};
|
|
|
|
#endif /* ASPEED_GPIO_H */
|