From nobody Fri Mar 29 13:46:24 2024 Delivered-To: importer2@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer2=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1675086773; cv=none; d=zohomail.com; s=zohoarc; b=RuKvh45EuMoNMe+9d3bUAAG+dF/4XgT9qKWLR5FgCQ8P0epxUX+2eAwce/wpjpN35IFA5d2oPQDwfkOo0Im6H4f+Ri809fa6ycudrCtSk1Fff2LwSUWffCo/AR5TgB/rOZwp2vZd5VfUkg5HqYOykITwLfYKNEwNI82FI9XI6WA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1675086773; h=Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject; bh=8lSdKmjnPpiAUKPyHbaNznuppAxzmUonsIDeJy+VesA=; b=e11y+8mOe08RoJ0do+quGn3ivF7PC+OugKNxjz+ZhrCgZaOwnghWLox0ZWc7uipT7GUwwiHQGFb4Rah+wqLgSySSnZf+jxHMXnDwC/h7L8mURMUw17KUj4caUOTL3eIa/8kXwGMMACiWS1UUEchLyv0dmdYyh/EWJ7zy58i1DRU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer2=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1675086773678392.57263110534086; Mon, 30 Jan 2023 05:52:53 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pMUYb-0000Hb-UM; Mon, 30 Jan 2023 08:50:50 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pMUY1-00076u-GE for qemu-devel@nongnu.org; Mon, 30 Jan 2023 08:50:22 -0500 Received: from mail-pf1-x434.google.com ([2607:f8b0:4864:20::434]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pMUXz-0004AN-Tf for qemu-devel@nongnu.org; Mon, 30 Jan 2023 08:50:13 -0500 Received: by mail-pf1-x434.google.com with SMTP id z1so4714466pfg.12 for ; Mon, 30 Jan 2023 05:50:11 -0800 (PST) Received: from alarm.flets-east.jp ([2400:4050:a840:1e00:4457:c267:5e09:481b]) by smtp.gmail.com with ESMTPSA id n16-20020aa79850000000b005818d429d98sm7450216pfq.136.2023.01.30.05.50.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 Jan 2023 05:50:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=daynix-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=8lSdKmjnPpiAUKPyHbaNznuppAxzmUonsIDeJy+VesA=; b=ZsGyE9VL3onW3gqxmpZ46d+mhHxLasOhLVPp2Rujjsks/7h1vg1CqiT4xGJ4mFQGdh lUZvtUct6PCTEN9TZPCkPKW+rWn4IBvqHEUbzWMlPBlyWtZyqFptXYVkID5YVH/YuZiB HDoWrJXZkX45zZnpcIdKIF2HT+JbcvYwI7Qrox3IXuxTwFuGpQQjHcJy47asHQ7MwYVI kG1YKmxkQzeyO1jYVYGM/isyE+5XipGaghQZUDMlCTDOaWNv+KIn18tbST+EcnyL0j/t 68CD+kI035bONMI+8afSnXuRDFAqRTPaSHZTZNc/LHCSZpmIhl77dhX9KXzD920yCrfQ y72g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=8lSdKmjnPpiAUKPyHbaNznuppAxzmUonsIDeJy+VesA=; b=YryIJ7auw33qsS2e1tdXoyLhvVHT6wbPRnTqiw1XVDrP7Jgmn90bDiWoxHC4/4mliN uChOXkSYsVKcTvaH9//ynabEWy7xzwAS8Ut08MwM5CNrdOIlP3YJTG6l0HXz3klmt07M fNh9a8/2bRCcN3txT1mvM6DCvaIqiZwo+j33FStEeYXk+AeC/sWBVvIM0+ZjfewBeige z+y0AXpUpUT6f4kn0HF/Rv4+Tj4K3aOt32kOGbi3KCdZ4dqtrxpE7gqgV0ryGVv+Qs1O lLWLB0Jyh8+dWo8Knhym0zHx+a81eVNuKBE5vXVhgbPJb9vqB3AczIp2NnlqTdDGQmgz IwQw== X-Gm-Message-State: AO0yUKWHByBwf8876F/QLlwIEv4IpDrkWFtCnM1cPDBPN6z9gwBTEYEx X/NEY0ix6/r6zZyHVzWEvRsXjrbr9rqz6X6L X-Google-Smtp-Source: AK7set+HE9runvmpf4Iga/goZEqPNWg0yJ704RAalLwfvSd1imDF0dD1JMLpIuGpL2k1UaN1eSeCmg== X-Received: by 2002:a62:5484:0:b0:593:bc80:2d2d with SMTP id i126-20020a625484000000b00593bc802d2dmr4279403pfb.17.1675086610470; Mon, 30 Jan 2023 05:50:10 -0800 (PST) From: Akihiko Odaki To: Cc: qemu-devel@nongnu.org, Paolo Bonzini , "Michael S. Tsirkin" , Alexander Bulekov , Akihiko Odaki Subject: [PATCH] hw/timer/hpet: Fix expiration time overflow Date: Mon, 30 Jan 2023 22:50:01 +0900 Message-Id: <20230130135001.76841-1-akihiko.odaki@daynix.com> X-Mailer: git-send-email 2.39.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer2=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: none client-ip=2607:f8b0:4864:20::434; envelope-from=akihiko.odaki@daynix.com; helo=mail-pf1-x434.google.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer2=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer2=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @daynix-com.20210112.gappssmtp.com) X-ZM-MESSAGEID: 1675086775816100003 Content-Type: text/plain; charset="utf-8" The expiration time provided for timer_mod() can overflow if a ridiculously large value is set to the comparator register. The resulting value can represent a past time after rounded, forcing the timer to fire immediately. If the timer is configured as periodic, it will rearm the timer again, and form an endless loop. Check if the expiration value will overflow, and if it will, stop the timer instead of rearming the timer with the overflowed time. This bug was found by Alexander Bulekov when fuzzing igb, a new network device emulation: https://patchew.org/QEMU/20230129053316.1071513-1-alxndr@bu.edu/ The fixed test case is: fuzz/crash_2d7036941dcda1ad4380bb8a9174ed0c949bcefd Fixes: 16b29ae180 ("Add HPET emulation to qemu (Beth Kon)") Signed-off-by: Akihiko Odaki Acked-by: Michael S. Tsirkin --- hw/timer/hpet.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/hw/timer/hpet.c b/hw/timer/hpet.c index 9520471be2..3657d5f463 100644 --- a/hw/timer/hpet.c +++ b/hw/timer/hpet.c @@ -352,6 +352,16 @@ static const VMStateDescription vmstate_hpet =3D { } }; =20 +static void arm(HPETTimer *t, uint64_t ticks) +{ + if (ticks < ns_to_ticks(INT64_MAX / 2)) { + timer_mod(t->qemu_timer, + qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + ticks_to_ns(tick= s)); + } else { + timer_del(t->qemu_timer); + } +} + /* * timer expiration callback */ @@ -374,13 +384,11 @@ static void hpet_timer(void *opaque) } } diff =3D hpet_calculate_diff(t, cur_tick); - timer_mod(t->qemu_timer, - qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + (int64_t)ti= cks_to_ns(diff)); + arm(t, diff); } else if (t->config & HPET_TN_32BIT && !timer_is_periodic(t)) { if (t->wrap_flag) { diff =3D hpet_calculate_diff(t, cur_tick); - timer_mod(t->qemu_timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)= + - (int64_t)ticks_to_ns(diff)); + arm(t, diff); t->wrap_flag =3D 0; } } @@ -407,8 +415,7 @@ static void hpet_set_timer(HPETTimer *t) t->wrap_flag =3D 1; } } - timer_mod(t->qemu_timer, - qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + (int64_t)ticks_= to_ns(diff)); + arm(t, diff); } =20 static void hpet_del_timer(HPETTimer *t) --=20 2.39.1