[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 08/19] hw/intc/arm_gicv3_its: Correct setting of TableDesc entry_s
From: |
Peter Maydell |
Subject: |
[PULL 08/19] hw/intc/arm_gicv3_its: Correct setting of TableDesc entry_sz |
Date: |
Fri, 7 Jan 2022 17:21:31 +0000 |
We set the TableDesc entry_sz field from the appropriate
GITS_BASER.ENTRYSIZE field. That ID register field specifies the
number of bytes per table entry minus one. However when we use
td->entry_sz we assume it to be the number of bytes per table entry
(for instance we calculate the number of entries in a page by
dividing the page size by the entry size).
The effects of this bug are:
* we miscalculate the maximum number of entries in the table,
so our checks on guest index values are wrong (too lax)
* when looking up an entry in the second level of an indirect
table, we calculate an incorrect index into the L2 table.
Because we make the same incorrect calculation on both
reads and writes of the L2 table, the guest won't notice
unless it's unlucky enough to use an index value that
causes us to index off the end of the L2 table page and
cause guest memory corruption in whatever follows
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
---
hw/intc/arm_gicv3_its.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
index 84808b1e298..88f4d730999 100644
--- a/hw/intc/arm_gicv3_its.c
+++ b/hw/intc/arm_gicv3_its.c
@@ -829,7 +829,7 @@ static void extract_table_params(GICv3ITSState *s)
}
td->page_sz = page_sz;
td->indirect = FIELD_EX64(value, GITS_BASER, INDIRECT);
- td->entry_sz = FIELD_EX64(value, GITS_BASER, ENTRYSIZE);
+ td->entry_sz = FIELD_EX64(value, GITS_BASER, ENTRYSIZE) + 1;
td->base_addr = baser_base_addr(value, page_sz);
if (!td->indirect) {
td->max_entries = (num_pages * page_sz) / td->entry_sz;
--
2.25.1
- [PULL 00/19] target-arm queue, Peter Maydell, 2022/01/07
- [PULL 02/19] target/arm: Add missing FEAT_TLBIOS instructions, Peter Maydell, 2022/01/07
- [PULL 08/19] hw/intc/arm_gicv3_its: Correct setting of TableDesc entry_sz,
Peter Maydell <=
- [PULL 11/19] hw/intc/arm_gicv3_its: Use FIELD macros for DTEs, Peter Maydell, 2022/01/07
- [PULL 05/19] hw/intc/arm_gicv3_its: Remove maxids union from TableDesc, Peter Maydell, 2022/01/07
- [PULL 01/19] Add dummy Aspeed AST2600 Display Port MCU (DPMCU), Peter Maydell, 2022/01/07
- [PULL 03/19] hw/intc/arm_gicv3_its: Correct off-by-one bounds check on rdbase, Peter Maydell, 2022/01/07
- [PULL 04/19] hw/intc/arm_gicv3_its: Remove redundant ITS_CTLR_ENABLED define, Peter Maydell, 2022/01/07
- [PULL 06/19] hw/intc/arm_gicv3_its: Don't return early in extract_table_params() loop, Peter Maydell, 2022/01/07
- [PULL 07/19] hw/intc/arm_gicv3_its: Reduce code duplication in extract_table_params(), Peter Maydell, 2022/01/07
- [PULL 14/19] hw/intc/arm_gicv3_its: Fix various off-by-one errors, Peter Maydell, 2022/01/07
- [PULL 18/19] hw/arm: add i2c muxes to kudo-bmc, Peter Maydell, 2022/01/07
- [PULL 16/19] hw/arm: Add kudo i2c eeproms., Peter Maydell, 2022/01/07