From patchwork Fri Jan 7 17:21:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 530473 Delivered-To: patch@linaro.org Received: by 2002:ad5:544f:0:0:0:0:0 with SMTP id a15csp560929imp; Fri, 7 Jan 2022 09:23:28 -0800 (PST) X-Google-Smtp-Source: ABdhPJwRsGF85W+Du80na5sWneALxpYc6xZ9OBaLffOesfXXyCkA3mM1u/CCdLE2mNVmp4oG70dW X-Received: by 2002:a25:d8c5:: with SMTP id p188mr1536555ybg.237.1641576208149; Fri, 07 Jan 2022 09:23:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1641576208; cv=none; d=google.com; s=arc-20160816; b=0UZgBhoEc3su5A+f9sweOtewajakQDKjETdJ1egHKhtpfzmnsZiZi2ticwbwkN34Y1 fbLrPDTVJHO+OAXgMdio0nMyCuXWqwchJ2btMJeOnbCR715mi8Z22ijRqNqFU8DpU6CX zrFe3qVRs1vSA7ztUaCF4qJm8vGRZGKt7722LN99Sg2ubTVSm5ry5reQ/5Qi5283etpE GZrbkVPgBJN0Wt/CytSOO6J4XKXs6Nz+R5/Kh/3ZzI637mCBVJklfdCk3XnCM0Z+3sCy 4bCe0kwE70tohybYoDrQIeC3M0lZv1YRw58a4XO/gmQDoUzQGoIZhJsC9+8z8Vpp7UHF ZkwQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:to:from :dkim-signature; bh=Q5OaLs830Ox8Bfylb1X2zHy5rJRr7MHpRwjdBpXLrtw=; b=PUohYisfk9VMpefJujtVPpGcdaDUeZU8ONLwq1Ahaha6zdsFN20CeQwe0ei2RaBTlI DxLNh1YZgsynuqdnjEET1YuQ6fnHwU8w1uu88MjWg2i//0X7IKQsWfxJFQExA349jedG 3ZMiNDaftCNVijNVWw5sSh1UJDbtjDodV+UzJ1vzWXoQm29jAxWjvT1bBuZXYAnHLOX5 Jh866YTUvD4sx4gqyLlFJA7nJqiEezyeMypLIkVgK7JWjQiCjlo/nWvgtlZ9jXTibgU/ 3UgFhQq1/2b2ZXm514W7JxsgIY56UAn2HwdkP1Sgq2MqQGDZkudvzgeY2SleVUEy3BpE jAcA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=m5Yn572x; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id d200si4043730ybc.209.2022.01.07.09.23.27 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Fri, 07 Jan 2022 09:23:28 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=m5Yn572x; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1]:39554 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1n5sxa-00059C-4d for patch@linaro.org; Fri, 07 Jan 2022 12:23:26 -0500 Received: from eggs.gnu.org ([209.51.188.92]:49012) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1n5sw4-00056g-Vx for qemu-devel@nongnu.org; Fri, 07 Jan 2022 12:21:53 -0500 Received: from [2a00:1450:4864:20::331] (port=44640 helo=mail-wm1-x331.google.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1n5sw2-0007tL-Ib for qemu-devel@nongnu.org; Fri, 07 Jan 2022 12:21:52 -0500 Received: by mail-wm1-x331.google.com with SMTP id f189-20020a1c1fc6000000b00347ac5ccf6cso1248150wmf.3 for ; Fri, 07 Jan 2022 09:21:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=Q5OaLs830Ox8Bfylb1X2zHy5rJRr7MHpRwjdBpXLrtw=; b=m5Yn572xDBOFXtoMV4O40kBs4+7nVZywJ7KHoFoqcLmqtiiWs3Im0hNTEfr7ar3HN9 8QQeQaHzaQrLi1JrxU3DPUEMu98wgtNLlI+dFZhyqCo21K5SJEEtBU7S+/BFt5aTokDs 4yK7lqjXiJ3mJ/FuYgwJSLVYzStLJkNW8TikbM+ORGsVnDlrjhIXbDgnt1TF+sm+fOxP 1kiabEHux0C+fgnZhSDeGa2WM0bQRO7XCgb6/I8EbLprdceCCd7ReDxDrtsvDQC376UO iOCzPblz7lQdClElDmJWWJsqYNLeEeDzUPf7fT4MzWedX8J1qhrkqdZzNsYVy7Ok5Yl3 gzzA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Q5OaLs830Ox8Bfylb1X2zHy5rJRr7MHpRwjdBpXLrtw=; b=1EMw7yvoVhokvfPqjm7S8D/83uHR+jEQwB/EVLgKQ+fHmCOCbTpujVcY6S1WRwyXRl r6/977OERB6fOOglBX1X3sqCTQYgz7BqtSkp/77WuDGch9ifG/W/JXLeqEuyottX54Yr YKrwZZNO+N2KUsuAo/RlcV0P+hTkxuAbS31lV9wNCNq52f2Ns6+6GyYzZj+R+pA3ySi5 IMDLtU36wIPiODUD4lVQEGLhdkSqeV/Ri8JC+GNLl7dFZPALLKamutOf2LZ+WJ5OIJuH FAEXh+XzPtGGmV72Q6aHR/ftPBcGL9f6gs3hVYu3PkQLBh0opcjfM2aMZNLcLJWkRhe1 Zhbg== X-Gm-Message-State: AOAM533igOSkkBfFkhExfgf3WCAYiSFFvouheW4NC00O0GxG5cWqNzfU HeGFG3rs6L8dMgfAgdKg47RMHGeRxI0qMg== X-Received: by 2002:a05:600c:4e88:: with SMTP id f8mr11938696wmq.45.1641576109361; Fri, 07 Jan 2022 09:21:49 -0800 (PST) Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by smtp.gmail.com with ESMTPSA id i6sm6060219wrf.79.2022.01.07.09.21.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 07 Jan 2022 09:21:49 -0800 (PST) From: Peter Maydell To: qemu-devel@nongnu.org Subject: [PULL 08/19] hw/intc/arm_gicv3_its: Correct setting of TableDesc entry_sz Date: Fri, 7 Jan 2022 17:21:31 +0000 Message-Id: <20220107172142.2651911-9-peter.maydell@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220107172142.2651911-1-peter.maydell@linaro.org> References: <20220107172142.2651911-1-peter.maydell@linaro.org> MIME-Version: 1.0 X-Host-Lookup-Failed: Reverse DNS lookup failed for 2a00:1450:4864:20::331 (failed) Received-SPF: pass client-ip=2a00:1450:4864:20::331; envelope-from=peter.maydell@linaro.org; helo=mail-wm1-x331.google.com X-Spam_score_int: -12 X-Spam_score: -1.3 X-Spam_bar: - X-Spam_report: (-1.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" We set the TableDesc entry_sz field from the appropriate GITS_BASER.ENTRYSIZE field. That ID register field specifies the number of bytes per table entry minus one. However when we use td->entry_sz we assume it to be the number of bytes per table entry (for instance we calculate the number of entries in a page by dividing the page size by the entry size). The effects of this bug are: * we miscalculate the maximum number of entries in the table, so our checks on guest index values are wrong (too lax) * when looking up an entry in the second level of an indirect table, we calculate an incorrect index into the L2 table. Because we make the same incorrect calculation on both reads and writes of the L2 table, the guest won't notice unless it's unlucky enough to use an index value that causes us to index off the end of the L2 table page and cause guest memory corruption in whatever follows Signed-off-by: Peter Maydell Reviewed-by: Alex Bennée Reviewed-by: Richard Henderson --- hw/intc/arm_gicv3_its.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c index 84808b1e298..88f4d730999 100644 --- a/hw/intc/arm_gicv3_its.c +++ b/hw/intc/arm_gicv3_its.c @@ -829,7 +829,7 @@ static void extract_table_params(GICv3ITSState *s) } td->page_sz = page_sz; td->indirect = FIELD_EX64(value, GITS_BASER, INDIRECT); - td->entry_sz = FIELD_EX64(value, GITS_BASER, ENTRYSIZE); + td->entry_sz = FIELD_EX64(value, GITS_BASER, ENTRYSIZE) + 1; td->base_addr = baser_base_addr(value, page_sz); if (!td->indirect) { td->max_entries = (num_pages * page_sz) / td->entry_sz;