On 26 October 2016 at 22:22, P J P <ppan...@redhat.com> wrote: > From: Prasad J Pandit <p...@fedoraproject.org> > > The Cadence UART device emulator calculates speed by dividing the > baud rate by a 'baud rate generator' & 'baud rate divider' value. > The device specification defines these register values to be > non-zero and within certain limits. Add checks for these limits > to avoid errors like divide by zero. > > Reported-by: Huawei PSIRT <ps...@huawei.com> > Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> > --- > hw/char/cadence_uart.c | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > > Update: mask R_BRGR and R_BDIV register values with 0xffff and 0xff resp. > -> https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg06206.html > -> https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg06215.html > > diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c > index e3bc52f..5341d81 100644 > --- a/hw/char/cadence_uart.c > +++ b/hw/char/cadence_uart.c > @@ -1,5 +1,10 @@ > /* > * Device model for Cadence UART > + * -> > http://www.xilinx.com/support/documentation/user_guides/ug585-Zynq-7000-TRM.pdf > + * > + * Reference: Xilinx Zynq 7000 reference manual > + * - Chapter 19 UART Controller > + * - Appendix B for Register details > * > * Copyright (c) 2010 Xilinx Inc. > * Copyright (c) 2012 Peter A.G. Crosthwaite > (peter.crosthwa...@petalogix.com) > @@ -410,6 +415,18 @@ static void uart_write(void *opaque, hwaddr offset, > break; > } > break; > + case R_BRGR: /* Baud rate generator */ > + s->r[offset] = 0x028B; /* default reset value */ > + if (value >= 0x01) { > + s->r[offset] = value & 0xFFFF; > + } > + break; > + case R_BDIV: /* Baud rate divider */ > + s->r[offset] = 0x0F; > + if (value >= 0x04) { > + s->r[offset] = value & 0xFF; > + } > + break; > default: > s->r[offset] = value; > }
You're relying on the register values never being invalid to avoid the divide by zero, which means you need to check them post-migration too. thanks -- PMM