[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 27/32] hw/intc/arm_gicv3_its: Make GITS_BASER<n> RAZ/WI for unimpl
From: |
Peter Maydell |
Subject: |
[PULL 27/32] hw/intc/arm_gicv3_its: Make GITS_BASER<n> RAZ/WI for unimplemented registers |
Date: |
Fri, 28 Jan 2022 15:30:04 +0000 |
The ITS has a bank of 8 GITS_BASER<n> registers, which allow the
guest to specify the base address of various data tables. Each
register has a read-only type field indicating which table it is for
and a read-write field where the guest can write in the base address
(among other things). We currently allow the guest to write the
writeable fields for all eight registers, even if the type field is 0
indicating "Unimplemented". This means the guest can provoke QEMU
into asserting by writing an address into one of these unimplemented
base registers, which bypasses the "if (!value) continue" check in
extract_table_params() and lets us hit the assertion that the type
field is one of the permitted table types.
Prevent the assertion by not allowing the guest to write to the
unimplemented base registers. This means their value will remain 0
and extract_table_params() will ignore them.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220122182444.724087-12-peter.maydell@linaro.org
---
hw/intc/arm_gicv3_its.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
index b17f2631269..237198845d7 100644
--- a/hw/intc/arm_gicv3_its.c
+++ b/hw/intc/arm_gicv3_its.c
@@ -929,6 +929,10 @@ static bool its_writel(GICv3ITSState *s, hwaddr offset,
if (!(s->ctlr & R_GITS_CTLR_ENABLED_MASK)) {
index = (offset - GITS_BASER) / 8;
+ if (s->baser[index] == 0) {
+ /* Unimplemented GITS_BASERn: RAZ/WI */
+ break;
+ }
if (offset & 7) {
value <<= 32;
value &= ~GITS_BASER_RO_MASK;
@@ -1025,6 +1029,10 @@ static bool its_writell(GICv3ITSState *s, hwaddr offset,
*/
if (!(s->ctlr & R_GITS_CTLR_ENABLED_MASK)) {
index = (offset - GITS_BASER) / 8;
+ if (s->baser[index] == 0) {
+ /* Unimplemented GITS_BASERn: RAZ/WI */
+ break;
+ }
s->baser[index] &= GITS_BASER_RO_MASK;
s->baser[index] |= (value & ~GITS_BASER_RO_MASK);
}
--
2.25.1
- [PULL 22/32] hw/intc/arm_gicv3: Honour GICD_CTLR.EnableGrp1NS for LPIs, (continued)
- [PULL 22/32] hw/intc/arm_gicv3: Honour GICD_CTLR.EnableGrp1NS for LPIs, Peter Maydell, 2022/01/28
- [PULL 19/32] hw/intc/arm_gicv3: Initialise dma_as in GIC, not ITS, Peter Maydell, 2022/01/28
- [PULL 32/32] target/arm: Use correct entrypoint for SVC taken from Hyp to Hyp, Peter Maydell, 2022/01/28
- [PULL 30/32] hw/intc/arm_gicv3_its: Implement MOVI, Peter Maydell, 2022/01/28
- [PULL 28/32] hw/intc/arm_gicv3_its: Check table bounds against correct limit, Peter Maydell, 2022/01/28
- [PULL 02/32] hw/armv7m: Fix broken VMStateDescription, Peter Maydell, 2022/01/28
- [PULL 05/32] hw/misc: Add a model of Versal's PMC SLCR, Peter Maydell, 2022/01/28
- [PULL 29/32] hw/intc/arm_gicv3_its: Implement MOVALL, Peter Maydell, 2022/01/28
- [PULL 24/32] hw/intc/arm_gicv3_redist: Remove unnecessary zero checks, Peter Maydell, 2022/01/28
- [PULL 09/32] hw/dma/xlnx_csu_dma: Support starting a read transfer through a class method, Peter Maydell, 2022/01/28
- [PULL 27/32] hw/intc/arm_gicv3_its: Make GITS_BASER<n> RAZ/WI for unimplemented registers,
Peter Maydell <=
- [PULL 12/32] hw/block/m25p80: Add support for Micron Xccela flash mt35xu01g, Peter Maydell, 2022/01/28
- Re: [PULL 00/32] target-arm queue, Peter Maydell, 2022/01/29