hpet: Catch out-of-bounds timer access

Also prevent out-of-bounds write access to the timers but don't spam the host console if it triggers. Signed-off-by: N Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: N Blue Swirl <blauwirbel@gmail.com>

hpet: Catch out-of-bounds timer access
Also prevent out-of-bounds write access to the timers but don't spam the host console if it triggers. Signed-off-by: N Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: N Blue Swirl <blauwirbel@gmail.com>
6982d664 · Jan Kiszka · Blue Swirl · c3d96978 · 6982d664
隐藏空白更改
内联并排

Showing with 5 addition and 1 deletion

hw/hpet.c hw/hpet.c +5 -1

未找到文件。
--- a/hw/hpet.c
+++ b/hw/hpet.c
@@ -294,7 +294,7 @@ static uint32_t hpet_ram_readl(void *opaque, target_phys_addr_t addr)
    if (index >= 0x100 && index <= 0x3ff) {
        uint8_t timer_id = (addr - 0x100) / 0x20;
        if (timer_id > HPET_NUM_TIMERS - 1) {
-            printf("qemu: timer id out of range\n");
+            DPRINTF("qemu: timer id out of range\n");
            return 0;
        }
        HPETTimer *timer = &s->timer[timer_id];
@@ -383,6 +383,10 @@ static void hpet_ram_writel(void *opaque, target_phys_addr_t addr,
        DPRINTF("qemu: hpet_ram_writel timer_id = %#x \n", timer_id);
        HPETTimer *timer = &s->timer[timer_id];

+        if (timer_id > HPET_NUM_TIMERS - 1) {
+            DPRINTF("qemu: timer id out of range\n");
+            return;
+        }
        switch ((addr - 0x100) % 0x20) {
            case HPET_TN_CFG:
                DPRINTF("qemu: hpet_ram_writel HPET_TN_CFG\n");