qemu-e2k/hw/intc/rx_icu.c
Chen Qun 57bdec5c46 hw/intc: fix heap-buffer-overflow in rxicu_realize()
When 'j = icu->nr_sense – 1', the 'j < icu->nr_sense' condition is true,
then 'j = icu->nr_sense', the'icu->init_sense[j]' has out-of-bounds access.

The asan showed stack:
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000004d7d at pc 0x55852cd26a76 bp 0x7ffe39f26200 sp 0x7ffe39f261f0
READ of size 1 at 0x604000004d7d thread T0
    #0 0x55852cd26a75 in rxicu_realize ../hw/intc/rx_icu.c:311
    #1 0x55852cf075f7 in device_set_realized ../hw/core/qdev.c:886
    #2 0x55852cd4a32f in property_set_bool ../qom/object.c:2251
    #3 0x55852cd4f9bb in object_property_set ../qom/object.c:1398
    #4 0x55852cd54f3f in object_property_set_qobject ../qom/qom-qobject.c:28
    #5 0x55852cd4fc3f in object_property_set_bool ../qom/object.c:1465
    #6 0x55852cbf0b27 in register_icu ../hw/rx/rx62n.c:156
    #7 0x55852cbf12a6 in rx62n_realize ../hw/rx/rx62n.c:261
    #8 0x55852cf075f7 in device_set_realized ../hw/core/qdev.c:886
    #9 0x55852cd4a32f in property_set_bool ../qom/object.c:2251
    #10 0x55852cd4f9bb in object_property_set ../qom/object.c:1398
    #11 0x55852cd54f3f in object_property_set_qobject ../qom/qom-qobject.c:28
    #12 0x55852cd4fc3f in object_property_set_bool ../qom/object.c:1465
    #13 0x55852cbf1a85 in rx_gdbsim_init ../hw/rx/rx-gdbsim.c:109
    #14 0x55852cd22de0 in qemu_init ../softmmu/vl.c:4380
    #15 0x55852ca57088 in main ../softmmu/main.c:49
    #16 0x7feefafa5d42 in __libc_start_main (/lib64/libc.so.6+0x26d42)

Add the 'ice->src[i].sense' initialize to the default value, and then
process init_sense array to identify which irqs should be level-triggered.

Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: Chen Qun <kuhn.chenqun@huawei.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20201111141733.2358800-1-kuhn.chenqun@huawei.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-11-23 10:41:58 +00:00

396 lines
10 KiB
C

/*
* RX Interrupt Control Unit
*
* Warning: Only ICUa is supported.
*
* Datasheet: RX62N Group, RX621 Group User's Manual: Hardware
* (Rev.1.40 R01UH0033EJ0140)
*
* Copyright (c) 2019 Yoshinori Sato
*
* SPDX-License-Identifier: GPL-2.0-or-later
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2 or later, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License along with
* this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "qemu/osdep.h"
#include "qemu/log.h"
#include "qemu/error-report.h"
#include "hw/irq.h"
#include "hw/registerfields.h"
#include "hw/qdev-properties.h"
#include "hw/intc/rx_icu.h"
#include "migration/vmstate.h"
REG8(IR, 0)
FIELD(IR, IR, 0, 1)
REG8(DTCER, 0x100)
FIELD(DTCER, DTCE, 0, 1)
REG8(IER, 0x200)
REG8(SWINTR, 0x2e0)
FIELD(SWINTR, SWINT, 0, 1)
REG16(FIR, 0x2f0)
FIELD(FIR, FVCT, 0, 8)
FIELD(FIR, FIEN, 15, 1)
REG8(IPR, 0x300)
FIELD(IPR, IPR, 0, 4)
REG8(DMRSR, 0x400)
REG8(IRQCR, 0x500)
FIELD(IRQCR, IRQMD, 2, 2)
REG8(NMISR, 0x580)
FIELD(NMISR, NMIST, 0, 1)
FIELD(NMISR, LVDST, 1, 1)
FIELD(NMISR, OSTST, 2, 1)
REG8(NMIER, 0x581)
FIELD(NMIER, NMIEN, 0, 1)
FIELD(NMIER, LVDEN, 1, 1)
FIELD(NMIER, OSTEN, 2, 1)
REG8(NMICLR, 0x582)
FIELD(NMICLR, NMICLR, 0, 1)
FIELD(NMICLR, OSTCLR, 2, 1)
REG8(NMICR, 0x583)
FIELD(NMICR, NMIMD, 3, 1)
static void set_irq(RXICUState *icu, int n_IRQ, int req)
{
if ((icu->fir & R_FIR_FIEN_MASK) &&
(icu->fir & R_FIR_FVCT_MASK) == n_IRQ) {
qemu_set_irq(icu->_fir, req);
} else {
qemu_set_irq(icu->_irq, req);
}
}
static uint16_t rxicu_level(RXICUState *icu, unsigned n)
{
return (icu->ipr[icu->map[n]] << 8) | n;
}
static void rxicu_request(RXICUState *icu, int n_IRQ)
{
int enable;
enable = icu->ier[n_IRQ / 8] & (1 << (n_IRQ & 7));
if (n_IRQ > 0 && enable != 0 && qatomic_read(&icu->req_irq) < 0) {
qatomic_set(&icu->req_irq, n_IRQ);
set_irq(icu, n_IRQ, rxicu_level(icu, n_IRQ));
}
}
static void rxicu_set_irq(void *opaque, int n_IRQ, int level)
{
RXICUState *icu = opaque;
struct IRQSource *src;
int issue;
if (n_IRQ >= NR_IRQS) {
error_report("%s: IRQ %d out of range", __func__, n_IRQ);
return;
}
src = &icu->src[n_IRQ];
level = (level != 0);
switch (src->sense) {
case TRG_LEVEL:
/* level-sensitive irq */
issue = level;
src->level = level;
break;
case TRG_NEDGE:
issue = (level == 0 && src->level == 1);
src->level = level;
break;
case TRG_PEDGE:
issue = (level == 1 && src->level == 0);
src->level = level;
break;
case TRG_BEDGE:
issue = ((level ^ src->level) & 1);
src->level = level;
break;
default:
g_assert_not_reached();
}
if (issue == 0 && src->sense == TRG_LEVEL) {
icu->ir[n_IRQ] = 0;
if (qatomic_read(&icu->req_irq) == n_IRQ) {
/* clear request */
set_irq(icu, n_IRQ, 0);
qatomic_set(&icu->req_irq, -1);
}
return;
}
if (issue) {
icu->ir[n_IRQ] = 1;
rxicu_request(icu, n_IRQ);
}
}
static void rxicu_ack_irq(void *opaque, int no, int level)
{
RXICUState *icu = opaque;
int i;
int n_IRQ;
int max_pri;
n_IRQ = qatomic_read(&icu->req_irq);
if (n_IRQ < 0) {
return;
}
qatomic_set(&icu->req_irq, -1);
if (icu->src[n_IRQ].sense != TRG_LEVEL) {
icu->ir[n_IRQ] = 0;
}
max_pri = 0;
n_IRQ = -1;
for (i = 0; i < NR_IRQS; i++) {
if (icu->ir[i]) {
if (max_pri < icu->ipr[icu->map[i]]) {
n_IRQ = i;
max_pri = icu->ipr[icu->map[i]];
}
}
}
if (n_IRQ >= 0) {
rxicu_request(icu, n_IRQ);
}
}
static uint64_t icu_read(void *opaque, hwaddr addr, unsigned size)
{
RXICUState *icu = opaque;
int reg = addr & 0xff;
if ((addr != A_FIR && size != 1) ||
(addr == A_FIR && size != 2)) {
qemu_log_mask(LOG_GUEST_ERROR, "rx_icu: Invalid read size 0x%"
HWADDR_PRIX "\n",
addr);
return UINT64_MAX;
}
switch (addr) {
case A_IR ... A_IR + 0xff:
return icu->ir[reg] & R_IR_IR_MASK;
case A_DTCER ... A_DTCER + 0xff:
return icu->dtcer[reg] & R_DTCER_DTCE_MASK;
case A_IER ... A_IER + 0x1f:
return icu->ier[reg];
case A_SWINTR:
return 0;
case A_FIR:
return icu->fir & (R_FIR_FIEN_MASK | R_FIR_FVCT_MASK);
case A_IPR ... A_IPR + 0x8f:
return icu->ipr[reg] & R_IPR_IPR_MASK;
case A_DMRSR:
case A_DMRSR + 4:
case A_DMRSR + 8:
case A_DMRSR + 12:
return icu->dmasr[reg >> 2];
case A_IRQCR ... A_IRQCR + 0x1f:
return icu->src[64 + reg].sense << R_IRQCR_IRQMD_SHIFT;
case A_NMISR:
case A_NMICLR:
return 0;
case A_NMIER:
return icu->nmier;
case A_NMICR:
return icu->nmicr;
default:
qemu_log_mask(LOG_UNIMP, "rx_icu: Register 0x%" HWADDR_PRIX " "
"not implemented.\n",
addr);
break;
}
return UINT64_MAX;
}
static void icu_write(void *opaque, hwaddr addr, uint64_t val, unsigned size)
{
RXICUState *icu = opaque;
int reg = addr & 0xff;
if ((addr != A_FIR && size != 1) ||
(addr == A_FIR && size != 2)) {
qemu_log_mask(LOG_GUEST_ERROR, "rx_icu: Invalid write size at "
"0x%" HWADDR_PRIX "\n",
addr);
return;
}
switch (addr) {
case A_IR ... A_IR + 0xff:
if (icu->src[reg].sense != TRG_LEVEL && val == 0) {
icu->ir[reg] = 0;
}
break;
case A_DTCER ... A_DTCER + 0xff:
icu->dtcer[reg] = val & R_DTCER_DTCE_MASK;
qemu_log_mask(LOG_UNIMP, "rx_icu: DTC not implemented\n");
break;
case A_IER ... A_IER + 0x1f:
icu->ier[reg] = val;
break;
case A_SWINTR:
if (val & R_SWINTR_SWINT_MASK) {
qemu_irq_pulse(icu->_swi);
}
break;
case A_FIR:
icu->fir = val & (R_FIR_FIEN_MASK | R_FIR_FVCT_MASK);
break;
case A_IPR ... A_IPR + 0x8f:
icu->ipr[reg] = val & R_IPR_IPR_MASK;
break;
case A_DMRSR:
case A_DMRSR + 4:
case A_DMRSR + 8:
case A_DMRSR + 12:
icu->dmasr[reg >> 2] = val;
qemu_log_mask(LOG_UNIMP, "rx_icu: DMAC not implemented\n");
break;
case A_IRQCR ... A_IRQCR + 0x1f:
icu->src[64 + reg].sense = val >> R_IRQCR_IRQMD_SHIFT;
break;
case A_NMICLR:
break;
case A_NMIER:
icu->nmier |= val & (R_NMIER_NMIEN_MASK |
R_NMIER_LVDEN_MASK |
R_NMIER_OSTEN_MASK);
break;
case A_NMICR:
if ((icu->nmier & R_NMIER_NMIEN_MASK) == 0) {
icu->nmicr = val & R_NMICR_NMIMD_MASK;
}
break;
default:
qemu_log_mask(LOG_UNIMP, "rx_icu: Register 0x%" HWADDR_PRIX " "
"not implemented\n",
addr);
break;
}
}
static const MemoryRegionOps icu_ops = {
.write = icu_write,
.read = icu_read,
.endianness = DEVICE_LITTLE_ENDIAN,
.impl = {
.min_access_size = 1,
.max_access_size = 2,
},
.valid = {
.min_access_size = 1,
.max_access_size = 2,
},
};
static void rxicu_realize(DeviceState *dev, Error **errp)
{
RXICUState *icu = RX_ICU(dev);
int i;
if (icu->init_sense == NULL) {
qemu_log_mask(LOG_GUEST_ERROR,
"rx_icu: trigger-level property must be set.");
return;
}
for (i = 0; i < NR_IRQS; i++) {
icu->src[i].sense = TRG_PEDGE;
}
for (i = 0; i < icu->nr_sense; i++) {
uint8_t irqno = icu->init_sense[i];
icu->src[irqno].sense = TRG_LEVEL;
}
icu->req_irq = -1;
}
static void rxicu_init(Object *obj)
{
SysBusDevice *d = SYS_BUS_DEVICE(obj);
RXICUState *icu = RX_ICU(obj);
memory_region_init_io(&icu->memory, OBJECT(icu), &icu_ops,
icu, "rx-icu", 0x600);
sysbus_init_mmio(d, &icu->memory);
qdev_init_gpio_in(DEVICE(d), rxicu_set_irq, NR_IRQS);
qdev_init_gpio_in_named(DEVICE(d), rxicu_ack_irq, "ack", 1);
sysbus_init_irq(d, &icu->_irq);
sysbus_init_irq(d, &icu->_fir);
sysbus_init_irq(d, &icu->_swi);
}
static void rxicu_fini(Object *obj)
{
RXICUState *icu = RX_ICU(obj);
g_free(icu->map);
g_free(icu->init_sense);
}
static const VMStateDescription vmstate_rxicu = {
.name = "rx-icu",
.version_id = 1,
.minimum_version_id = 1,
.fields = (VMStateField[]) {
VMSTATE_UINT8_ARRAY(ir, RXICUState, NR_IRQS),
VMSTATE_UINT8_ARRAY(dtcer, RXICUState, NR_IRQS),
VMSTATE_UINT8_ARRAY(ier, RXICUState, NR_IRQS / 8),
VMSTATE_UINT8_ARRAY(ipr, RXICUState, 142),
VMSTATE_UINT8_ARRAY(dmasr, RXICUState, 4),
VMSTATE_UINT16(fir, RXICUState),
VMSTATE_UINT8(nmisr, RXICUState),
VMSTATE_UINT8(nmier, RXICUState),
VMSTATE_UINT8(nmiclr, RXICUState),
VMSTATE_UINT8(nmicr, RXICUState),
VMSTATE_INT16(req_irq, RXICUState),
VMSTATE_END_OF_LIST()
}
};
static Property rxicu_properties[] = {
DEFINE_PROP_ARRAY("ipr-map", RXICUState, nr_irqs, map,
qdev_prop_uint8, uint8_t),
DEFINE_PROP_ARRAY("trigger-level", RXICUState, nr_sense, init_sense,
qdev_prop_uint8, uint8_t),
DEFINE_PROP_END_OF_LIST(),
};
static void rxicu_class_init(ObjectClass *klass, void *data)
{
DeviceClass *dc = DEVICE_CLASS(klass);
dc->realize = rxicu_realize;
dc->vmsd = &vmstate_rxicu;
device_class_set_props(dc, rxicu_properties);
}
static const TypeInfo rxicu_info = {
.name = TYPE_RX_ICU,
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(RXICUState),
.instance_init = rxicu_init,
.instance_finalize = rxicu_fini,
.class_init = rxicu_class_init,
};
static void rxicu_register_types(void)
{
type_register_static(&rxicu_info);
}
type_init(rxicu_register_types)