[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 22/22] dma: omap: check dma channel data_type
From: |
Peter Maydell |
Subject: |
[Qemu-devel] [PULL 22/22] dma: omap: check dma channel data_type |
Date: |
Fri, 27 Jan 2017 15:32:17 +0000 |
From: Prasad J Pandit <address@hidden>
When setting dma channel 'data_type', if (value & 3) == 3,
the set 'data_type' is said to be bad. This also leads to an
OOB access in 'omap_dma_transfer_generic', while doing
cpu_physical_memory_r/w operations. Add check to avoid it.
Reported-by: Jiang Xin <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Message-id: address@hidden
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Peter Maydell <address@hidden>
---
hw/dma/omap_dma.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/hw/dma/omap_dma.c b/hw/dma/omap_dma.c
index f6f86f9..45dfe7a 100644
--- a/hw/dma/omap_dma.c
+++ b/hw/dma/omap_dma.c
@@ -878,15 +878,17 @@ static int omap_dma_ch_reg_write(struct omap_dma_s *s,
ch->burst[0] = (value & 0x0180) >> 7;
ch->pack[0] = (value & 0x0040) >> 6;
ch->port[0] = (enum omap_dma_port) ((value & 0x003c) >> 2);
- ch->data_type = 1 << (value & 3);
if (ch->port[0] >= __omap_dma_port_last)
printf("%s: invalid DMA port %i\n", __FUNCTION__,
ch->port[0]);
if (ch->port[1] >= __omap_dma_port_last)
printf("%s: invalid DMA port %i\n", __FUNCTION__,
ch->port[1]);
- if ((value & 3) == 3)
+ ch->data_type = 1 << (value & 3);
+ if ((value & 3) == 3) {
printf("%s: bad data_type for DMA channel\n", __FUNCTION__);
+ ch->data_type >>= 1;
+ }
break;
case 0x02: /* SYS_DMA_CCR_CH0 */
@@ -1988,8 +1990,10 @@ static void omap_dma4_write(void *opaque, hwaddr addr,
fprintf(stderr, "%s: bad MReqAddressTranslate sideband signal\n",
__FUNCTION__);
ch->data_type = 1 << (value & 3);
- if ((value & 3) == 3)
+ if ((value & 3) == 3) {
printf("%s: bad data_type for DMA channel\n", __FUNCTION__);
+ ch->data_type >>= 1;
+ }
break;
case 0x14: /* DMA4_CEN */
--
2.7.4
- [Qemu-devel] [PULL 00/22] target-arm queue, Peter Maydell, 2017/01/27
- [Qemu-devel] [PULL 21/22] arm_gicv3: Fix broken logic in ELRSR calculation, Peter Maydell, 2017/01/27
- [Qemu-devel] [PULL 20/22] hw/char/exynos4210_uart: Drop unused local variable frame_size, Peter Maydell, 2017/01/27
- [Qemu-devel] [PULL 22/22] dma: omap: check dma channel data_type,
Peter Maydell <=
- [Qemu-devel] [PULL 18/22] armv7m: R14 should reset to 0xffffffff, Peter Maydell, 2017/01/27
- [Qemu-devel] [PULL 19/22] arm: stellaris: make MII accesses complete immediately, Peter Maydell, 2017/01/27
- [Qemu-devel] [PULL 17/22] armv7m: FAULTMASK should be 0 on reset, Peter Maydell, 2017/01/27
- [Qemu-devel] [PULL 14/22] armv7m: set CFSR.UNDEFINSTR on undefined instructions, Peter Maydell, 2017/01/27
- [Qemu-devel] [PULL 13/22] armv7m: honour CCR.STACKALIGN on exception entry, Peter Maydell, 2017/01/27
- [Qemu-devel] [PULL 09/22] target/arm: Drop IS_M() macro, Peter Maydell, 2017/01/27
- [Qemu-devel] [PULL 16/22] armv7m: Honour CCR.USERSETMPEND, Peter Maydell, 2017/01/27
- [Qemu-devel] [PULL 05/22] hw/registerfields.h: Pull FIELD etc macros out of hw/register.h, Peter Maydell, 2017/01/27
- [Qemu-devel] [PULL 07/22] armv7m: Clear FAULTMASK on return from non-NMI exceptions, Peter Maydell, 2017/01/27
- [Qemu-devel] [PULL 01/22] aspeed/smc: handle dummy bytes when doing fast reads in command mode, Peter Maydell, 2017/01/27