[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 15/53] hw/timer/hpet: Fix expiration time overflow
From: |
Michael S. Tsirkin |
Subject: |
[PULL 15/53] hw/timer/hpet: Fix expiration time overflow |
Date: |
Thu, 2 Mar 2023 03:25:17 -0500 |
From: Akihiko Odaki <akihiko.odaki@daynix.com>
The expiration time provided for timer_mod() can overflow if a
ridiculously large value is set to the comparator register. The
resulting value can represent a past time after rounded, forcing the
timer to fire immediately. If the timer is configured as periodic, it
will rearm the timer again, and form an endless loop.
Check if the expiration value will overflow, and if it will, stop the
timer instead of rearming the timer with the overflowed time.
This bug was found by Alexander Bulekov when fuzzing igb, a new
network device emulation:
https://patchew.org/QEMU/20230129053316.1071513-1-alxndr@bu.edu/
The fixed test case is:
fuzz/crash_2d7036941dcda1ad4380bb8a9174ed0c949bcefd
Fixes: 16b29ae180 ("Add HPET emulation to qemu (Beth Kon)")
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20230131030037.18856-1-akihiko.odaki@daynix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
hw/timer/hpet.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/hw/timer/hpet.c b/hw/timer/hpet.c
index 214d6a0501..6998094233 100644
--- a/hw/timer/hpet.c
+++ b/hw/timer/hpet.c
@@ -353,6 +353,16 @@ static const VMStateDescription vmstate_hpet = {
}
};
+static void hpet_arm(HPETTimer *t, uint64_t ticks)
+{
+ if (ticks < ns_to_ticks(INT64_MAX / 2)) {
+ timer_mod(t->qemu_timer,
+ qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + ticks_to_ns(ticks));
+ } else {
+ timer_del(t->qemu_timer);
+ }
+}
+
/*
* timer expiration callback
*/
@@ -375,13 +385,11 @@ static void hpet_timer(void *opaque)
}
}
diff = hpet_calculate_diff(t, cur_tick);
- timer_mod(t->qemu_timer,
- qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
(int64_t)ticks_to_ns(diff));
+ hpet_arm(t, diff);
} else if (t->config & HPET_TN_32BIT && !timer_is_periodic(t)) {
if (t->wrap_flag) {
diff = hpet_calculate_diff(t, cur_tick);
- timer_mod(t->qemu_timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
- (int64_t)ticks_to_ns(diff));
+ hpet_arm(t, diff);
t->wrap_flag = 0;
}
}
@@ -408,8 +416,7 @@ static void hpet_set_timer(HPETTimer *t)
t->wrap_flag = 1;
}
}
- timer_mod(t->qemu_timer,
- qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
(int64_t)ticks_to_ns(diff));
+ hpet_arm(t, diff);
}
static void hpet_del_timer(HPETTimer *t)
--
MST
- [PULL 07/53] Revert "x86: return modified setup_data only if read as memory, not as file", (continued)
- [PULL 07/53] Revert "x86: return modified setup_data only if read as memory, not as file", Michael S. Tsirkin, 2023/03/02
- [PULL 13/53] vhost-user-rng: Back up vqs before cleaning up vhost_dev, Michael S. Tsirkin, 2023/03/02
- [PULL 17/53] libvhost-user: Adopt new backend naming, Michael S. Tsirkin, 2023/03/02
- [PULL 10/53] backends/vhost-user: remove the ioeventfd check, Michael S. Tsirkin, 2023/03/02
- [PULL 12/53] vhost-user-i2c: Back up vqs before cleaning up vhost_dev, Michael S. Tsirkin, 2023/03/02
- [PULL 14/53] virtio-rng-pci: fix transitional migration compat for vectors, Michael S. Tsirkin, 2023/03/02
- [PULL 08/53] Revert "hw/i386: pass RNG seed via setup_data entry", Michael S. Tsirkin, 2023/03/02
- [PULL 15/53] hw/timer/hpet: Fix expiration time overflow,
Michael S. Tsirkin <=
- [PULL 06/53] Revert "x86: use typedef for SetupData struct", Michael S. Tsirkin, 2023/03/02
- [PULL 18/53] vhost-user: Adopt new backend naming, Michael S. Tsirkin, 2023/03/02
- [PULL 19/53] vdpa: stop all svq on device deletion, Michael S. Tsirkin, 2023/03/02
- [PULL 20/53] pci/shpc: set attention led to OFF on reset, Michael S. Tsirkin, 2023/03/02
- [PULL 21/53] pci/shpc: change shpc_get_status() return type to uint8_t, Michael S. Tsirkin, 2023/03/02
- [PULL 22/53] pci/shpc: shpc_slot_command(): handle PWRONLY -> ENABLED transition, Michael S. Tsirkin, 2023/03/02
- [PULL 23/53] pci/shpc: more generic handle hot-unplug in shpc_slot_command(), Michael S. Tsirkin, 2023/03/02
- [PULL 27/53] pcie_regs: drop duplicated indicator value macros, Michael S. Tsirkin, 2023/03/02
- [PULL 24/53] pci/shpc: pass PCIDevice pointer to shpc_slot_command(), Michael S. Tsirkin, 2023/03/02
- [PULL 25/53] pci/shpc: refactor shpc_device_plug_common(), Michael S. Tsirkin, 2023/03/02