aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPrasad J Pandit <pjp@fedoraproject.org>2016-11-07 10:00:24 +0000
committerPeter Maydell <peter.maydell@linaro.org>2016-11-07 10:00:24 +0000
commit6e29651c5e3a0e0336818574f273b3f6ecea491d (patch)
treecac5e9d74f007697377fab6d54e6fbe0f2267d82
parent9226682a401f34b10fd79dfe17ba334da0800747 (diff)
downloadqemu-6e29651c5e3a0e0336818574f273b3f6ecea491d.zip
qemu-6e29651c5e3a0e0336818574f273b3f6ecea491d.tar.gz
qemu-6e29651c5e3a0e0336818574f273b3f6ecea491d.tar.bz2
char: cadence: check baud rate generator and divider values
The Cadence UART device emulator calculates speed by dividing the baud rate by a 'baud rate generator' & 'baud rate divider' value. The device specification defines these register values to be non-zero and within certain limits. Add checks for these limits to avoid errors like divide by zero. Reported-by: Huawei PSIRT <psirt@huawei.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Reviewed-by: Alistair Francis <alistair.francis@xilinx.com> Message-id: 1477596278-1470-1-git-send-email-ppandit@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-rw-r--r--hw/char/cadence_uart.c15
1 files changed, 15 insertions, 0 deletions
diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c
index def34cd..0215d65 100644
--- a/hw/char/cadence_uart.c
+++ b/hw/char/cadence_uart.c
@@ -1,6 +1,11 @@
/*
* Device model for Cadence UART
*
+ * Reference: Xilinx Zynq 7000 reference manual
+ * - http://www.xilinx.com/support/documentation/user_guides/ug585-Zynq-7000-TRM.pdf
+ * - Chapter 19 UART Controller
+ * - Appendix B for Register details
+ *
* Copyright (c) 2010 Xilinx Inc.
* Copyright (c) 2012 Peter A.G. Crosthwaite (peter.crosthwaite@petalogix.com)
* Copyright (c) 2012 PetaLogix Pty Ltd.
@@ -402,6 +407,16 @@ static void uart_write(void *opaque, hwaddr offset,
break;
}
break;
+ case R_BRGR: /* Baud rate generator */
+ if (value >= 0x01) {
+ s->r[offset] = value & 0xFFFF;
+ }
+ break;
+ case R_BDIV: /* Baud rate divider */
+ if (value >= 0x04) {
+ s->r[offset] = value & 0xFF;
+ }
+ break;
default:
s->r[offset] = value;
}