From a95ada20170af0a71529c1583846e402cdbb850b Mon Sep 17 00:00:00 2001
From: Yan Wang <wangyan122@huawei.com>
Date: Thu, 10 Feb 2022 10:41:40 +0800
Subject: [PATCH] xhci: check reg to avoid OOB read

Add a sanity check to fix OOB read access.

Signed-off-by: Yan Wang <wangyan122@huawei.com>
---
 hw/usb/hcd-xhci.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index e01700039b..08cd63e159 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -27,6 +27,7 @@
 #include "hw/qdev-properties.h"
 #include "trace.h"
 #include "qapi/error.h"
+#include "qemu/log.h"
 
 #include "hcd-xhci.h"
 
@@ -3017,14 +3018,17 @@ static void xhci_runtime_write(void *ptr, hwaddr reg,
     XHCIInterrupter *intr;
     int v;
 
-    trace_usb_xhci_runtime_write(reg, val);
-
     if (reg < 0x20) {
         trace_usb_xhci_unimplemented("runtime write", reg);
         return;
     }
     v = (reg - 0x20) / 0x20;
+    if (v >= xhci->numintrs) {
+        qemu_log("intr nr out of range (%d >= %d)\n", v, xhci->numintrs);
+        return;
+    }
     intr = &xhci->intr[v];
+    trace_usb_xhci_runtime_write(reg, val);
 
     switch (reg & 0x1f) {
     case 0x00: /* IMAN */
-- 
2.27.0