| Message ID | 20211211191135.1764649-3-peter.maydell@linaro.org |
|---|---|
| State | Superseded |
| Headers | show |
| Series | arm gicv3 ITS: Various bug fixes and refactorings | expand |
On 12/11/21 11:11 AM, Peter Maydell wrote: > The checks in the ITS on the rdbase values in guest commands are > off-by-one: they permit the guest to pass us a value equal to > s->gicv3->num_cpu, but the valid values are 0...num_cpu-1. This > meant the guest could cause us to index off the end of the > s->gicv3->cpu[] array when calling gicv3_redist_process_lpi(), and we > would probably crash. > > Cc:qemu-stable@nongnu.org > Fixes: 17fb5e36aabd4b ("hw/intc: GICv3 redistributor ITS processing") > Signed-off-by: Peter Maydell<peter.maydell@linaro.org> > --- > Not a security bug, because only usable with emulation. > --- > hw/intc/arm_gicv3_its.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) Reviewed-by: Richard Henderson <richard.henderson@linaro.org> r~
Peter Maydell <peter.maydell@linaro.org> writes: > The checks in the ITS on the rdbase values in guest commands are > off-by-one: they permit the guest to pass us a value equal to > s->gicv3->num_cpu, but the valid values are 0...num_cpu-1. This > meant the guest could cause us to index off the end of the > s->gicv3->cpu[] array when calling gicv3_redist_process_lpi(), and we > would probably crash. > > Cc: qemu-stable@nongnu.org > Fixes: 17fb5e36aabd4b ("hw/intc: GICv3 redistributor ITS processing") > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c index b99e63d58f7..677b96dfe23 100644 --- a/hw/intc/arm_gicv3_its.c +++ b/hw/intc/arm_gicv3_its.c @@ -311,7 +311,7 @@ static bool process_its_cmd(GICv3ITSState *s, uint64_t value, uint32_t offset, */ rdbase = (cte & GITS_CTE_RDBASE_PROCNUM_MASK) >> 1U; - if (rdbase > s->gicv3->num_cpu) { + if (rdbase >= s->gicv3->num_cpu) { return result; } @@ -505,7 +505,7 @@ static bool process_mapc(GICv3ITSState *s, uint32_t offset) valid = (value & CMD_FIELD_VALID_MASK); - if ((icid > s->ct.maxids.max_collids) || (rdbase > s->gicv3->num_cpu)) { + if ((icid > s->ct.maxids.max_collids) || (rdbase >= s->gicv3->num_cpu)) { qemu_log_mask(LOG_GUEST_ERROR, "ITS MAPC: invalid collection table attributes " "icid %d rdbase %" PRIu64 "\n", icid, rdbase);
The checks in the ITS on the rdbase values in guest commands are off-by-one: they permit the guest to pass us a value equal to s->gicv3->num_cpu, but the valid values are 0...num_cpu-1. This meant the guest could cause us to index off the end of the s->gicv3->cpu[] array when calling gicv3_redist_process_lpi(), and we would probably crash. Cc: qemu-stable@nongnu.org Fixes: 17fb5e36aabd4b ("hw/intc: GICv3 redistributor ITS processing") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- Not a security bug, because only usable with emulation. --- hw/intc/arm_gicv3_its.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)