From 7b8cbe5162e69ad629c5326bf3c158b81857955d Mon Sep 17 00:00:00 2001 From: Steven Lee Date: Thu, 20 Mar 2025 17:25:43 +0800 Subject: hw/intc/aspeed: Fix IRQ handler mask check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updated the IRQ handler mask check to AND with select variable. This ensures that the interrupt service routine is correctly triggered for the interrupts within the same irq group. For example, both `eth0` and the debug UART are handled in `GICINT132`. Without this fix, the debug console may hang if the `eth0` ISR is not handled. Signed-off-by: Steven Lee Change-Id: Ic3609eb72218dfd68be6057d78b8953b18828709 Reviewed-by: Cédric Le Goater Fixes: d831c5fd8682 ("aspeed/intc: Add AST2700 support") Link: https://lore.kernel.org/qemu-devel/20250320092543.4040672-2-steven_lee@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/intc/aspeed_intc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'hw') diff --git a/hw/intc/aspeed_intc.c b/hw/intc/aspeed_intc.c index 3fd4170..f17bf43 100644 --- a/hw/intc/aspeed_intc.c +++ b/hw/intc/aspeed_intc.c @@ -111,7 +111,7 @@ static void aspeed_intc_set_irq_handler(AspeedINTCState *s, outpin_idx = intc_irq->outpin_idx; inpin_idx = intc_irq->inpin_idx; - if (s->mask[inpin_idx] || s->regs[status_reg]) { + if ((s->mask[inpin_idx] & select) || (s->regs[status_reg] & select)) { /* * a. mask is not 0 means in ISR mode * sources interrupt routine are executing. -- cgit v1.1 From 78877b2e06464f49f777e086845e094ea7bc82ef Mon Sep 17 00:00:00 2001 From: Jamin Lin Date: Fri, 21 Mar 2025 17:25:58 +0800 Subject: hw/misc/aspeed_hace: Fix buffer overflow in has_padding function MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The maximum padding size is either 64 or 128 bytes and should always be smaller than "req_len". If "padding_size" exceeds "req_len", then "req_len - padding_size" underflows due to "uint32_t" data type, leading to a large incorrect value (e.g., `0xFFXXXXXX`). This causes an out-of-bounds memory access, potentially leading to a buffer overflow. Added a check to ensure "padding_size" does not exceed "req_len" before computing "pad_offset". This prevents "req_len - padding_size" from underflowing and avoids accessing invalid memory. Signed-off-by: Jamin Lin Reviewed-by: Cédric Le Goater Fixes: 5cd7d8564a8b563da724b9e6264c967f0a091afa ("aspeed/hace: Support AST2600 HACE ") Link: https://lore.kernel.org/qemu-devel/20250321092623.2097234-3-jamin_lin@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/misc/aspeed_hace.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'hw') diff --git a/hw/misc/aspeed_hace.c b/hw/misc/aspeed_hace.c index 32a5dbd..d75da33 100644 --- a/hw/misc/aspeed_hace.c +++ b/hw/misc/aspeed_hace.c @@ -128,6 +128,11 @@ static bool has_padding(AspeedHACEState *s, struct iovec *iov, if (*total_msg_len <= s->total_req_len) { uint32_t padding_size = s->total_req_len - *total_msg_len; uint8_t *padding = iov->iov_base; + + if (padding_size > req_len) { + return false; + } + *pad_offset = req_len - padding_size; if (padding[*pad_offset] == 0x80) { return true; -- cgit v1.1