motorhead/qemu
1
0
Fork 0
mirror of https://github.com/Motorhead1991/qemu.git synced 2025-08-06 01:03:55 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions

hw/ssi/xilinx_spips: fix an out of bound access

Browse source 
The spips, qspips, and zynqmp-qspips share the same realize function
(xilinx_spips_realize) and initialize their io memory region with different
mmio_ops passed through the class.  The size of the memory region is set to
the largest area (0x200 bytes for zynqmp-qspips) thus it is possible to write
out of s->regs[addr] in xilinx_spips_write for spips and qspips.

This fixes that wrong behavior.

Reviewed-by: Luc Michel <luc.michel@amd.com>
Signed-off-by: Frederic Konrad <fkonrad@amd.com>
Reviewed-by: Francisco Iglesias <francisco.iglesias@amd.com>
Message-id: 20231124143505.1493184-2-fkonrad@amd.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
This commit is contained in:
Frederic Konrad 2023-11-24 14:35:03 +00:00 committed by Peter Maydell
parent 6e782ffd55
commit 90bb6d6764
2 changed files with 9 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
include/hw/ssi/xilinx_spips.h
View file

@ -33,7 +33,9 @@
typedef struct XilinxSPIPS XilinxSPIPS;
/* For SPIPS, QSPIPS. */
#define XLNX_SPIPS_R_MAX (0x100 / 4)
/* For ZYNQMP_QSPIPS. */
#define XLNX_ZYNQMP_SPIPS_R_MAX (0x200 / 4)
/* Bite off 4k chunks at a time */
@ -125,6 +127,7 @@ struct XilinxSPIPSClass {
SysBusDeviceClass parent_class;
const MemoryRegionOps *reg_ops;
uint64_t reg_size;
uint32_t rx_fifo_size;
uint32_t tx_fifo_size;