qemu/0019-timer-a9gtimer-remove-...

From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Mon, 24 Oct 2016 16:26:54 +0100
Subject: [PATCH] timer: a9gtimer: remove loop to auto-increment comparator

ARM A9MP processor has a peripheral timer with an auto-increment
register, which holds an increment step value. A user could set
this value to zero. When auto-increment control bit is enabled,
it leads to an infinite loop in 'a9_gtimer_update' while
updating comparator value. Remove this loop incrementing the
comparator value.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 1476733226-11635-1-git-send-email-ppandit@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 6be8f5e2626e102433e569d9cece2120baf0c879)
---
 hw/timer/a9gtimer.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/hw/timer/a9gtimer.c b/hw/timer/a9gtimer.c
index 772f85f5fd..ce1dc63911 100644
--- a/hw/timer/a9gtimer.c
+++ b/hw/timer/a9gtimer.c
@@ -82,15 +82,15 @@ static void a9_gtimer_update(A9GTimerState *s, bool sync)
         if ((s->control & R_CONTROL_TIMER_ENABLE) &&
                 (gtb->control & R_CONTROL_COMP_ENABLE)) {
             /* R2p0+, where the compare function is >= */
-            while (gtb->compare < update.new) {
+            if (gtb->compare < update.new) {
                 DB_PRINT("Compare event happened for CPU %d\n", i);
                 gtb->status = 1;
-                if (gtb->control & R_CONTROL_AUTO_INCREMENT) {
-                    DB_PRINT("Auto incrementing timer compare by %" PRId32 "\n",
-                             gtb->inc);
-                    gtb->compare += gtb->inc;
-                } else {
-                    break;
+                if (gtb->control & R_CONTROL_AUTO_INCREMENT && gtb->inc) {
+                    uint64_t inc =
+                        QEMU_ALIGN_UP(update.new - gtb->compare, gtb->inc);
+                    DB_PRINT("Auto incrementing timer compare by %"
+                                                        PRId64 "\n", inc);
+                    gtb->compare += inc;
                 }
             }
             cdiff = (int64_t)gtb->compare - (int64_t)update.new + 1;
CVE-2016-6836: vmxnet: Information leakage in vmxnet3_complete_packet (bz #1366370) CVE-2016-7909: pcnet: Infinite loop in pcnet_rdra_addr (bz #1381196) CVE-2016-7994: virtio-gpu: memory leak in resource_create_2d (bz #1382667) CVE-2016-8577: 9pfs: host memory leakage in v9fs_read (bz #1383286) CVE-2016-8578: 9pfs: potential NULL dereferencein 9pfs routines (bz #1383292) CVE-2016-8668: OOB buffer access in rocker switch emulation (bz #1384898) CVE-2016-8669: divide by zero error in serial_update_parameters (bz #1384911) CVE-2016-8909: intel-hda: infinite loop in dma buffer stream (bz #1388053) Infinite loop vulnerability in a9_gtimer_update (bz #1388300) CVE-2016-9101: eepro100: memory leakage at device unplug (bz #1389539) CVE-2016-9103: 9pfs: information leakage via xattr (bz #1389643) CVE-2016-9102: 9pfs: memory leakage when creating extended attribute (bz #1389551) CVE-2016-9104: 9pfs: integer overflow leading to OOB access (bz #1389687) CVE-2016-9105: 9pfs: memory leakage in v9fs_link (bz #1389704) CVE-2016-9106: 9pfs: memory leakage in v9fs_write (bz #1389713) CVE-2016-9381: xen: incautious about shared ring processing (bz #1397385) CVE-2016-9921: Divide by zero vulnerability in cirrus_do_copy (bz #1399054) CVE-2016-9776: infinite loop while receiving data in mcf_fec_receive (bz #1400830) CVE-2016-9845: information leakage in virgl_cmd_get_capset_info (bz #1402247) CVE-2016-9846: virtio-gpu: memory leakage while updating cursor data (bz #1402258) CVE-2016-9907: usbredir: memory leakage when destroying redirector (bz #1402266) CVE-2016-9911: usb: ehci: memory leakage in ehci_init_transfer (bz #1402273) CVE-2016-9913: 9pfs: memory leakage via proxy/handle callbacks (bz #1402277) CVE-2016-10028: virtio-gpu-3d: OOB access while reading virgl capabilities (bz #1406368) CVE-2016-9908: virtio-gpu: information leakage in virgl_cmd_get_capset (bz #1402263) CVE-2016-9912: virtio-gpu: memory leakage when destroying gpu resource (bz #1402285) 2017-01-16 21:04:06 +00:00			`From: Prasad J Pandit <pjp@fedoraproject.org>`
			`Date: Mon, 24 Oct 2016 16:26:54 +0100`
			`Subject: [PATCH] timer: a9gtimer: remove loop to auto-increment comparator`

			`ARM A9MP processor has a peripheral timer with an auto-increment`
			`register, which holds an increment step value. A user could set`
			`this value to zero. When auto-increment control bit is enabled,`
			`it leads to an infinite loop in 'a9_gtimer_update' while`
			`updating comparator value. Remove this loop incrementing the`
			`comparator value.`

			`Reported-by: Li Qiang <liqiang6-s@360.cn>`
			`Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>`
			`Message-id: 1476733226-11635-1-git-send-email-ppandit@redhat.com`
			`Reviewed-by: Peter Maydell <peter.maydell@linaro.org>`
			`Signed-off-by: Peter Maydell <peter.maydell@linaro.org>`
			`(cherry picked from commit 6be8f5e2626e102433e569d9cece2120baf0c879)`
			`---`
			`hw/timer/a9gtimer.c \| 14 +++++++-------`
			`1 file changed, 7 insertions(+), 7 deletions(-)`

			`diff --git a/hw/timer/a9gtimer.c b/hw/timer/a9gtimer.c`
CVE-2017-7718: cirrus: OOB read access issue (bz #1443443) CVE-2016-9603: cirrus: heap buffer overflow via vnc connection (bz #1432040) CVE-2017-7377: 9pfs: fix file descriptor leak (bz #1437872) CVE-2017-7980: cirrus: OOB r/w access issues in bitblt (bz #1444372) CVE-2017-8112: vmw_pvscsi: infinite loop in pvscsi_log2 (bz #1445622) CVE-2017-8309: audio: host memory lekage via capture buffer (bz #1446520) CVE-2017-8379: input: host memory lekage via keyboard events (bz #1446560) CVE-2017-8380: scsi: megasas: out-of-bounds read in megasas_mmio_write (bz #1446578) CVE-2017-9060: virtio-gpu: host memory leakage in Virtio GPU device (bz #1452598) CVE-2017-9310: net: infinite loop in e1000e NIC emulation (bz #1452623) CVE-2017-9330: usb: ohci: infinite loop due to incorrect return value (bz #1457699) CVE-2017-9374: usb: ehci host memory leakage during hotunplug (bz #1459137) CVE-2017-10806: usb-redirect: stack buffer overflow in debug logging (bz #1468497) 2017-07-12 22:19:21 +00:00			`index 772f85f5fd..ce1dc63911 100644`
CVE-2016-6836: vmxnet: Information leakage in vmxnet3_complete_packet (bz #1366370) CVE-2016-7909: pcnet: Infinite loop in pcnet_rdra_addr (bz #1381196) CVE-2016-7994: virtio-gpu: memory leak in resource_create_2d (bz #1382667) CVE-2016-8577: 9pfs: host memory leakage in v9fs_read (bz #1383286) CVE-2016-8578: 9pfs: potential NULL dereferencein 9pfs routines (bz #1383292) CVE-2016-8668: OOB buffer access in rocker switch emulation (bz #1384898) CVE-2016-8669: divide by zero error in serial_update_parameters (bz #1384911) CVE-2016-8909: intel-hda: infinite loop in dma buffer stream (bz #1388053) Infinite loop vulnerability in a9_gtimer_update (bz #1388300) CVE-2016-9101: eepro100: memory leakage at device unplug (bz #1389539) CVE-2016-9103: 9pfs: information leakage via xattr (bz #1389643) CVE-2016-9102: 9pfs: memory leakage when creating extended attribute (bz #1389551) CVE-2016-9104: 9pfs: integer overflow leading to OOB access (bz #1389687) CVE-2016-9105: 9pfs: memory leakage in v9fs_link (bz #1389704) CVE-2016-9106: 9pfs: memory leakage in v9fs_write (bz #1389713) CVE-2016-9381: xen: incautious about shared ring processing (bz #1397385) CVE-2016-9921: Divide by zero vulnerability in cirrus_do_copy (bz #1399054) CVE-2016-9776: infinite loop while receiving data in mcf_fec_receive (bz #1400830) CVE-2016-9845: information leakage in virgl_cmd_get_capset_info (bz #1402247) CVE-2016-9846: virtio-gpu: memory leakage while updating cursor data (bz #1402258) CVE-2016-9907: usbredir: memory leakage when destroying redirector (bz #1402266) CVE-2016-9911: usb: ehci: memory leakage in ehci_init_transfer (bz #1402273) CVE-2016-9913: 9pfs: memory leakage via proxy/handle callbacks (bz #1402277) CVE-2016-10028: virtio-gpu-3d: OOB access while reading virgl capabilities (bz #1406368) CVE-2016-9908: virtio-gpu: information leakage in virgl_cmd_get_capset (bz #1402263) CVE-2016-9912: virtio-gpu: memory leakage when destroying gpu resource (bz #1402285) 2017-01-16 21:04:06 +00:00			`--- a/hw/timer/a9gtimer.c`
			`+++ b/hw/timer/a9gtimer.c`
			`@@ -82,15 +82,15 @@ static void a9_gtimer_update(A9GTimerState *s, bool sync)`
			`if ((s->control & R_CONTROL_TIMER_ENABLE) &&`
			`(gtb->control & R_CONTROL_COMP_ENABLE)) {`
			`/* R2p0+, where the compare function is >= */`
			`- while (gtb->compare < update.new) {`
			`+ if (gtb->compare < update.new) {`
			`DB_PRINT("Compare event happened for CPU %d\n", i);`
			`gtb->status = 1;`
			`- if (gtb->control & R_CONTROL_AUTO_INCREMENT) {`
			`- DB_PRINT("Auto incrementing timer compare by %" PRId32 "\n",`
			`- gtb->inc);`
			`- gtb->compare += gtb->inc;`
			`- } else {`
			`- break;`
			`+ if (gtb->control & R_CONTROL_AUTO_INCREMENT && gtb->inc) {`
			`+ uint64_t inc =`
			`+ QEMU_ALIGN_UP(update.new - gtb->compare, gtb->inc);`
			`+ DB_PRINT("Auto incrementing timer compare by %"`
			`+ PRId64 "\n", inc);`
			`+ gtb->compare += inc;`
			`}`
			`}`
			`cdiff = (int64_t)gtb->compare - (int64_t)update.new + 1;`