qemu/hw at 2cac20cbf7b01e9a4e404db2ff9bee09ee26f315 - motorhead/qemu

mirror of https://github.com/Motorhead1991/qemu.git synced 2025-08-02 07:13:54 -06:00

History

Pierrick Bouvier 2cac20cbf7 hw/misc/npcm_clk: fix buffer-overflow Regression introduced by cf76c4 (hw/misc: Add nr_regs and cold_reset_values to NPCM CLK) cold_reset_values has a different size, depending on device used (NPCM7xx vs NPCM8xx). However, s->regs has a fixed size, which matches NPCM8xx. Thus, when initializing a NPCM7xx, we go past cold_reset_values ending. Report by asan: ==2066==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55d68a3e97f0 at pc 0x7fcaf2b2d14b bp 0x7ffff0cc3890 sp 0x7ffff0cc3040 READ of size 196 at 0x55d68a3e97f0 thread T0 #0 0x7fcaf2b2d14a in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 #1 0x55d688447e0d in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29 #2 0x55d688447e0d in npcm_clk_enter_reset ../hw/misc/npcm_clk.c:968 #3 0x55d6899b7213 in resettable_phase_enter ../hw/core/resettable.c:136 #4 0x55d6899a1ef7 in bus_reset_child_foreach ../hw/core/bus.c:97 #5 0x55d6899b717d in resettable_child_foreach ../hw/core/resettable.c:92 #6 0x55d6899b717d in resettable_phase_enter ../hw/core/resettable.c:129 #7 0x55d6899b4ead in resettable_container_child_foreach ../hw/core/resetcontainer.c:54 #8 0x55d6899b717d in resettable_child_foreach ../hw/core/resettable.c:92 #9 0x55d6899b717d in resettable_phase_enter ../hw/core/resettable.c:129 #10 0x55d6899b7bfa in resettable_assert_reset ../hw/core/resettable.c:55 #11 0x55d6899b8666 in resettable_reset ../hw/core/resettable.c:45 #12 0x55d688d15cd2 in qemu_system_reset ../system/runstate.c:527 #13 0x55d687fc5edd in qdev_machine_creation_done ../hw/core/machine.c:1738 #14 0x55d688d209bd in qemu_machine_creation_done ../system/vl.c:2779 #15 0x55d688d209bd in qmp_x_exit_preconfig ../system/vl.c:2807 #16 0x55d688d281fb in qemu_init ../system/vl.c:3838 #17 0x55d687ceab12 in main ../system/main.c:68 #18 0x7fcaef006249 (/lib/x86_64-linux-gnu/libc.so.6+0x27249) #19 0x7fcaef006304 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x27304) #20 0x55d687cf0010 in _start (/home/runner/work/qemu-ci/qemu-ci/build/qemu-system-arm+0x371c010) 0x55d68a3e97f0 is located 0 bytes to the right of global variable 'npcm7xx_cold_reset_values' defined in '../hw/misc/npcm_clk.c:134:23' (0x55d68a3e9780) of size 112 Impacted tests: Summary of Failures: check: 2/747 qemu:qtest+qtest-aarch64 / qtest-aarch64/qom-test ERROR 9.28s killed by signal 6 SIGABRT 4/747 qemu:qtest+qtest-arm / qtest-arm/qom-test ERROR 7.82s killed by signal 6 SIGABRT 32/747 qemu:qtest+qtest-aarch64 / qtest-aarch64/device-introspect-test ERROR 10.91s killed by signal 6 SIGABRT 35/747 qemu:qtest+qtest-arm / qtest-arm/device-introspect-test ERROR 11.33s killed by signal 6 SIGABRT 114/747 qemu:qtest+qtest-arm / qtest-arm/npcm7xx_pwm-test ERROR 0.98s killed by signal 6 SIGABRT 115/747 qemu:qtest+qtest-aarch64 / qtest-aarch64/test-hmp ERROR 2.95s killed by signal 6 SIGABRT 117/747 qemu:qtest+qtest-arm / qtest-arm/test-hmp ERROR 2.54s killed by signal 6 SIGABRT 151/747 qemu:qtest+qtest-arm / qtest-arm/npcm7xx_watchdog_timer-test ERROR 0.96s killed by signal 6 SIGABRT 247/747 qemu:qtest+qtest-arm / qtest-arm/npcm7xx_adc-test ERROR 0.96s killed by signal 6 SIGABRT 248/747 qemu:qtest+qtest-arm / qtest-arm/npcm7xx_gpio-test ERROR 1.05s killed by signal 6 SIGABRT 249/747 qemu:qtest+qtest-arm / qtest-arm/npcm7xx_rng-test ERROR 0.97s killed by signal 6 SIGABRT 250/747 qemu:qtest+qtest-arm / qtest-arm/npcm7xx_sdhci-test ERROR 0.97s killed by signal 6 SIGABRT 251/747 qemu:qtest+qtest-arm / qtest-arm/npcm7xx_smbus-test ERROR 0.89s killed by signal 6 SIGABRT 252/747 qemu:qtest+qtest-arm / qtest-arm/npcm7xx_timer-test ERROR 1.09s killed by signal 6 SIGABRT 253/747 qemu:qtest+qtest-arm / qtest-arm/npcm_gmac-test ERROR 1.12s killed by signal 6 SIGABRT 255/747 qemu:qtest+qtest-arm / qtest-arm/npcm7xx_emc-test ERROR 1.05s killed by signal 6 SIGABRT check-functional: 22/203 qemu:func-thorough+func-arm-thorough+thorough / func-arm-arm_quanta_gsj ERROR 0.79s exit status 1 38/203 qemu:func-quick+func-aarch64 / func-aarch64-migration ERROR 1.97s exit status 1 45/203 qemu:func-quick+func-arm / func-arm-migration ERROR 1.90s exit status 1 Fixes: `cf76c4e174` ("hw/misc: Add nr_regs and cold_reset_values to NPCM CLK") Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Reviewed-by: Hao Wu <wuhaotsh@google.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>		2025-02-25 15:32:58 +00:00
..
9pfs	9pfs: improve v9fs_open() tracing	2025-02-06 17:10:46 +01:00
acpi	hw/acpi: Add vmclock device	2025-01-15 17:43:24 -05:00
adc	include/hw/qdev-properties: Remove DEFINE_PROP_END_OF_LIST	2024-12-19 19:36:37 +01:00
alpha	hw/boards: Do not create unusable default if=sd drives	2025-02-16 14:25:08 +01:00
arm	hw: Centralize handling of -machine dumpdtb option	2025-02-24 15:03:42 +00:00
audio	Accel & Exec patch queue	2024-12-21 11:07:00 -05:00
avr	hw/boards: Do not create unusable default if=sd drives	2025-02-16 14:25:08 +01:00
block	Block layer patches	2025-02-10 13:25:36 -05:00
char	hw/char/xilinx_uartlite: Make device endianness configurable	2025-02-16 14:34:51 +01:00
core	hw/core/machine.c: Make -machine dumpdtb=file.dtb with no DTB an error	2025-02-25 15:32:57 +00:00
cpu	hw/cpu/arm_mpcore: Remove default values for GIC external IRQs	2025-02-20 14:20:29 +00:00
cxl	mem/cxl_type3: support 3, 6, 12 and 16 interleave ways	2025-02-21 07:18:42 -05:00
display	Memory pull request for 10.0	2025-02-19 08:36:26 +08:00
dma	Accel & Exec patch queue	2024-12-21 11:07:00 -05:00
fsi	hw: Use device_class_set_legacy_reset() instead of opencoding	2024-09-13 15:31:44 +01:00
gpio	hw/gpio/imx_gpio: Turn DPRINTF() into trace events	2025-01-13 17:16:04 +01:00
hppa	hw/boards: Do not create unusable default if=sd drives	2025-02-16 14:25:08 +01:00
hyperv	qapi: Move include/qapi/qmp/ to include/qobject/	2025-02-10 15:33:16 +01:00
i2c	hw/arm: Mark Allwinner Technology devices as little-endian	2025-02-16 14:41:46 +01:00
i386	virtio,pc,pci: features, fixes, cleanups	2025-02-22 05:06:39 +08:00
ide	Accel & Exec patch queue	2024-12-21 11:07:00 -05:00
input	Accel & Exec patch queue	2024-12-21 11:07:00 -05:00
intc	hw/intc/arm_gicv3_cpuif(): Remove redundant tests of is_a64()	2025-02-20 14:20:28 +00:00
ipack	hw/ipack: Remove legacy qemu_allocate_irqs() use	2025-01-31 19:36:44 +01:00
ipmi	Accel & Exec patch queue	2024-12-21 11:07:00 -05:00
isa	hw: Declare various const data as 'const'	2025-02-16 14:26:07 +01:00
loongarch	hw: Centralize handling of -machine dumpdtb option	2025-02-24 15:03:42 +00:00
m68k	hw/boards: Do not create unusable default if=sd drives	2025-02-16 14:25:08 +01:00
mem	mem/cxl_type3: support 3, 6, 12 and 16 interleave ways	2025-02-21 07:18:42 -05:00
microblaze	hw/ssi/xilinx_spi: Make device endianness configurable	2025-02-16 14:34:57 +01:00
mips	hw: Centralize handling of -machine dumpdtb option	2025-02-24 15:03:42 +00:00
misc	hw/misc/npcm_clk: fix buffer-overflow	2025-02-25 15:32:58 +00:00
net	virtio,pc,pci: features, fixes, cleanups	2025-02-22 05:06:39 +08:00
nubus	include/hw/qdev-properties: Remove DEFINE_PROP_END_OF_LIST	2024-12-19 19:36:37 +01:00
nvme	pcie_sriov: Ensure VF addr does not overflow	2025-02-20 18:23:19 -05:00
nvram	fw_cfg: Don't set callback_opaque NULL in fw_cfg_modify_bytes_read()	2024-12-31 21:21:34 +01:00
openrisc	hw: Centralize handling of -machine dumpdtb option	2025-02-24 15:03:42 +00:00
pci	virtio,pc,pci: features, fixes, cleanups	2025-02-22 05:06:39 +08:00
pci-bridge	Accel & Exec patch queue	2024-12-21 11:07:00 -05:00
pci-host	hw/pci-host: Mark versatile regions as little-endian	2025-02-16 14:41:46 +01:00
ppc	hw: Centralize handling of -machine dumpdtb option	2025-02-24 15:03:42 +00:00
remote	Memory pull request for 10.0	2025-02-19 08:36:26 +08:00
riscv	hw: Centralize handling of -machine dumpdtb option	2025-02-24 15:03:42 +00:00
rtc	hw/arm: Mark Allwinner Technology devices as little-endian	2025-02-16 14:41:46 +01:00
rx	hw/rx: Allow execution without either bios or kernel	2025-02-16 14:45:38 +01:00
s390x	virtio,pc,pci: features, fixes, cleanups	2025-02-22 05:06:39 +08:00
scsi	block: remove unused BLOCK_OP_TYPE_DATAPLANE	2025-02-06 14:51:10 +01:00
sd	hw/arm: Mark Allwinner Technology devices as little-endian	2025-02-16 14:41:46 +01:00
sensor	hw: Make class data 'const'	2025-02-16 14:26:07 +01:00
sh4	hw/boards: Do not create unusable default if=sd drives	2025-02-16 14:25:08 +01:00
smbios	include: Rename sysemu/ -> system/	2024-12-20 17:44:56 +01:00
sparc	hw/boards: Do not create unusable default if=sd drives	2025-02-16 14:25:08 +01:00
sparc64	hw/boards: Do not create unusable default if=sd drives	2025-02-16 14:25:08 +01:00
ssi	hw/ssi: Make flash size a property in NPCM7XX FIU	2025-02-20 14:20:29 +00:00
timer	hw/arm: Mark Allwinner Technology devices as little-endian	2025-02-16 14:41:46 +01:00
tpm	hw/tpm: Have TPM TIS sysbus device inherit from DYNAMIC_SYS_BUS_DEVICE	2025-02-16 14:25:07 +01:00
tricore	hw/boards: Do not create unusable default if=sd drives	2025-02-16 14:25:08 +01:00
ufs	hw/ufs: Fix legacy single doorbell support bit	2025-02-17 18:20:53 +09:00
usb	Kconfig: Extract CONFIG_USB_CHIPIDEA from CONFIG_IMX	2025-02-20 14:20:29 +00:00
vfio	virtio,pc,pci: features, fixes, cleanups	2025-02-22 05:06:39 +08:00
virtio	virtio,pc,pci: features, fixes, cleanups	2025-02-22 05:06:39 +08:00
watchdog	hw/arm: Mark Allwinner Technology devices as little-endian	2025-02-16 14:41:46 +01:00
xen	hw/boards: Do not create unusable default if=sd drives	2025-02-16 14:25:08 +01:00
xenpv	hw/boards: Do not create unusable default if=sd drives	2025-02-16 14:25:08 +01:00
xtensa	hw/boards: Do not create unusable default if=sd drives	2025-02-16 14:25:08 +01:00
Kconfig	hw: Remove PCMCIA subsystem	2024-10-15 15:16:17 +01:00
meson.build	hw: Remove PCMCIA subsystem	2024-10-15 15:16:17 +01:00