aboutsummaryrefslogtreecommitdiff
path: root/hw/misc/zynq_slcr.c
diff options
context:
space:
mode:
authorPhilippe Mathieu-Daudé <f4bug@amsat.org>2020-12-10 15:16:10 +0100
committerPeter Maydell <peter.maydell@linaro.org>2020-12-15 13:36:45 +0000
commit98a8cc741dad9cb4738f81a994bcf8d77d619152 (patch)
treea14ebcccda796616efe9cc5285b817d9c405d756 /hw/misc/zynq_slcr.c
parent144677d41bf513af64e934fba61bf3220cbe8d5a (diff)
downloadqemu-98a8cc741dad9cb4738f81a994bcf8d77d619152.zip
qemu-98a8cc741dad9cb4738f81a994bcf8d77d619152.tar.gz
qemu-98a8cc741dad9cb4738f81a994bcf8d77d619152.tar.bz2
hw/misc/zynq_slcr: Avoid #DIV/0! error
Malicious user can set the feedback divisor for the PLLs to zero, triggering a floating-point exception (SIGFPE). As the datasheet [*] is not clear how hardware behaves when these bits are zeroes, use the maximum divisor possible (128) to avoid the software FPE. [*] Zynq-7000 TRM, UG585 (v1.12.2) B.28 System Level Control Registers (slcr) -> "Register (slcr) ARM_PLL_CTRL" 25.10.4 PLLs -> "Software-Controlled PLL Update" Fixes: 38867cb7ec9 ("hw/misc/zynq_slcr: add clock generation for uarts") Reported-by: Gaoning Pan <pgn@zju.edu.cn> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Reviewed-by: Damien Hedde <damien.hedde@greensocs.com> Message-id: 20201210141610.884600-1-f4bug@amsat.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hw/misc/zynq_slcr.c')
-rw-r--r--hw/misc/zynq_slcr.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/hw/misc/zynq_slcr.c b/hw/misc/zynq_slcr.c
index a2b2801..66504a9 100644
--- a/hw/misc/zynq_slcr.c
+++ b/hw/misc/zynq_slcr.c
@@ -217,6 +217,11 @@ static uint64_t zynq_slcr_compute_pll(uint64_t input, uint32_t ctrl_reg)
return 0;
}
+ /* Consider zero feedback as maximum divide ratio possible */
+ if (!mult) {
+ mult = 1 << R_xxx_PLL_CTRL_PLL_FPDIV_LENGTH;
+ }
+
/* frequency multiplier -> period division */
return input / mult;
}