diff options
| author | Frederic Konrad <fkonrad@amd.com> | 2023-11-24 14:35:03 +0000 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2023-11-27 15:38:43 +0000 |
| commit | 90bb6d676489b5cc063858ece263e1586795803f (patch) | |
| tree | 32e160e2f3447b0279203ec4f49f76e30706ded2 /include/hw/ssi | |
| parent | 6e782ffd555808378f69dd606641f0c4b5ca6120 (diff) | |
| download | qemu-90bb6d676489b5cc063858ece263e1586795803f.zip qemu-90bb6d676489b5cc063858ece263e1586795803f.tar.gz qemu-90bb6d676489b5cc063858ece263e1586795803f.tar.bz2 | |
hw/ssi/xilinx_spips: fix an out of bound access
The spips, qspips, and zynqmp-qspips share the same realize function
(xilinx_spips_realize) and initialize their io memory region with different
mmio_ops passed through the class. The size of the memory region is set to
the largest area (0x200 bytes for zynqmp-qspips) thus it is possible to write
out of s->regs[addr] in xilinx_spips_write for spips and qspips.
This fixes that wrong behavior.
Reviewed-by: Luc Michel <luc.michel@amd.com>
Signed-off-by: Frederic Konrad <fkonrad@amd.com>
Reviewed-by: Francisco Iglesias <francisco.iglesias@amd.com>
Message-id: 20231124143505.1493184-2-fkonrad@amd.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'include/hw/ssi')
| -rw-r--r-- | include/hw/ssi/xilinx_spips.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/include/hw/ssi/xilinx_spips.h b/include/hw/ssi/xilinx_spips.h index 1386d5a..7a754bf 100644 --- a/include/hw/ssi/xilinx_spips.h +++ b/include/hw/ssi/xilinx_spips.h @@ -33,7 +33,9 @@ typedef struct XilinxSPIPS XilinxSPIPS; +/* For SPIPS, QSPIPS. */ #define XLNX_SPIPS_R_MAX (0x100 / 4) +/* For ZYNQMP_QSPIPS. */ #define XLNX_ZYNQMP_SPIPS_R_MAX (0x200 / 4) /* Bite off 4k chunks at a time */ @@ -125,6 +127,7 @@ struct XilinxSPIPSClass { SysBusDeviceClass parent_class; const MemoryRegionOps *reg_ops; + uint64_t reg_size; uint32_t rx_fifo_size; uint32_t tx_fifo_size; |