[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 54/54] hw/timer/renesas_tmr: Fix use of uninitialized data in read
From: |
Peter Maydell |
Subject: |
[PULL 54/54] hw/timer/renesas_tmr: Fix use of uninitialized data in read_tcnt() |
Date: |
Mon, 8 Mar 2021 17:32:44 +0000 |
The read_tcnt() function calculates the TCNT register values for the
two channels of the timer module; it sets these up in the local
tcnt[] array, and eventually returns either one or both of them,
depending on whether the access is 8 or 16 bits. However, not all of
the code paths through this function set both elements of this array:
if the guest has programmed the TCCR.CSS register fields to values
which are either documented as not to be used or which QEMU does not
implement, then the function will return uninitialized data. (This
was spotted by Coverity.)
Add the missing CSS cases to this code, so that we return a
consistent value instead of uninitialized data, and so the code
structure indicates what's happening.
Fixes: CID 1429976
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20210219223241.16344-3-peter.maydell@linaro.org
---
hw/timer/renesas_tmr.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/hw/timer/renesas_tmr.c b/hw/timer/renesas_tmr.c
index 22260aaaba5..eed39917fec 100644
--- a/hw/timer/renesas_tmr.c
+++ b/hw/timer/renesas_tmr.c
@@ -46,7 +46,9 @@ REG8(TCCR, 10)
FIELD(TCCR, CSS, 3, 2)
FIELD(TCCR, TMRIS, 7, 1)
+#define CSS_EXTERNAL 0x00
#define CSS_INTERNAL 0x01
+#define CSS_INVALID 0x02
#define CSS_CASCADING 0x03
#define CCLR_A 0x01
#define CCLR_B 0x02
@@ -130,13 +132,20 @@ static uint16_t read_tcnt(RTMRState *tmr, unsigned size,
int ch)
if (delta > 0) {
tmr->tick = now;
- if (FIELD_EX8(tmr->tccr[1], TCCR, CSS) == CSS_INTERNAL) {
+ switch (FIELD_EX8(tmr->tccr[1], TCCR, CSS)) {
+ case CSS_INTERNAL:
/* timer1 count update */
elapsed = elapsed_time(tmr, 1, delta);
if (elapsed >= 0x100) {
ovf = elapsed >> 8;
}
tcnt[1] = tmr->tcnt[1] + (elapsed & 0xff);
+ break;
+ case CSS_INVALID: /* guest error to have set this */
+ case CSS_EXTERNAL: /* QEMU doesn't implement these */
+ case CSS_CASCADING:
+ tcnt[1] = tmr->tcnt[1];
+ break;
}
switch (FIELD_EX8(tmr->tccr[0], TCCR, CSS)) {
case CSS_INTERNAL:
@@ -144,9 +153,11 @@ static uint16_t read_tcnt(RTMRState *tmr, unsigned size,
int ch)
tcnt[0] = tmr->tcnt[0] + elapsed;
break;
case CSS_CASCADING:
- if (ovf > 0) {
- tcnt[0] = tmr->tcnt[0] + ovf;
- }
+ tcnt[0] = tmr->tcnt[0] + ovf;
+ break;
+ case CSS_INVALID: /* guest error to have set this */
+ case CSS_EXTERNAL: /* QEMU doesn't implement this */
+ tcnt[0] = tmr->tcnt[0];
break;
}
} else {
--
2.20.1
- [PULL 43/54] docs/system/arm/mps2.rst: Document the new mps3-an547 board, (continued)
- [PULL 43/54] docs/system/arm/mps2.rst: Document the new mps3-an547 board, Peter Maydell, 2021/03/08
- [PULL 41/54] hw/arm/mps2-tz: Make initsvtor0 setting board-specific, Peter Maydell, 2021/03/08
- [PULL 37/54] hw/misc/mps2-fpgaio: Fold counters subsection into main vmstate, Peter Maydell, 2021/03/08
- [PULL 45/54] tests/qtest/sse-timer-test: Test the system timer, Peter Maydell, 2021/03/08
- [PULL 50/54] hw/arm: xlnx-zynqmp: Connect a Xilinx CSU DMA module for QSPI, Peter Maydell, 2021/03/08
- [PULL 47/54] target/arm: Restrict v7A TCG cpus to TCG accel, Peter Maydell, 2021/03/08
- [PULL 46/54] tests/qtest/sse-timer-test: Test counter scaling changes, Peter Maydell, 2021/03/08
- [PULL 53/54] hw/timer/renesas_tmr: Prefix constants for CSS values with CSS_, Peter Maydell, 2021/03/08
- [PULL 52/54] hw/ssi: xilinx_spips: Remove DMA related dead codes from zynqmp_spips, Peter Maydell, 2021/03/08
- [PULL 49/54] hw/arm: xlnx-zynqmp: Clean up coding convention issues, Peter Maydell, 2021/03/08
- [PULL 54/54] hw/timer/renesas_tmr: Fix use of uninitialized data in read_tcnt(),
Peter Maydell <=
- [PULL 48/54] hw/dma: Implement a Xilinx CSU DMA model, Peter Maydell, 2021/03/08
- [PULL 51/54] hw/ssi: xilinx_spips: Clean up coding convention issues, Peter Maydell, 2021/03/08
- Re: [PULL 00/54] target-arm queue, no-reply, 2021/03/08