Re: [PATCH 02/26] hw/intc/arm_gicv3_its: Correct off-by-one bounds check

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 02/26] hw/intc/arm_gicv3_its: Correct off-by-one bounds check

From:	Richard Henderson
Subject:	Re: [PATCH 02/26] hw/intc/arm_gicv3_its: Correct off-by-one bounds check on rdbase
Date:	Sun, 12 Dec 2021 09:32:26 -0800
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0

On 12/11/21 11:11 AM, Peter Maydell wrote:

The checks in the ITS on the rdbase values in guest commands are
off-by-one: they permit the guest to pass us a value equal to
s->gicv3->num_cpu, but the valid values are 0...num_cpu-1.  This
meant the guest could cause us to index off the end of the
s->gicv3->cpu[] array when calling gicv3_redist_process_lpi(), and we
would probably crash.

Cc:qemu-stable@nongnu.org
Fixes: 17fb5e36aabd4b ("hw/intc: GICv3 redistributor ITS processing")
Signed-off-by: Peter Maydell<peter.maydell@linaro.org>
---
Not a security bug, because only usable with emulation.
---
  hw/intc/arm_gicv3_its.c | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)


Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

r~

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH 00/26] arm gicv3 ITS: Various bug fixes and refactorings, Peter Maydell, 2021/12/11
- [PATCH 01/26] hw/intc: clean-up error reporting for failed ITS cmd, Peter Maydell, 2021/12/11
  - Re: [PATCH 01/26] hw/intc: clean-up error reporting for failed ITS cmd, Richard Henderson, 2021/12/12
- [PATCH 02/26] hw/intc/arm_gicv3_its: Correct off-by-one bounds check on rdbase, Peter Maydell, 2021/12/11
  - Re: [PATCH 02/26] hw/intc/arm_gicv3_its: Correct off-by-one bounds check on rdbase, Richard Henderson <=
  - Re: [PATCH 02/26] hw/intc/arm_gicv3_its: Correct off-by-one bounds check on rdbase, Alex Bennée, 2021/12/13
- [PATCH 04/26] hw/intc/arm_gicv3_its: Remove maxids union from TableDesc, Peter Maydell, 2021/12/11
  - Re: [PATCH 04/26] hw/intc/arm_gicv3_its: Remove maxids union from TableDesc, Richard Henderson, 2021/12/12
  - Re: [PATCH 04/26] hw/intc/arm_gicv3_its: Remove maxids union from TableDesc, Alex Bennée, 2021/12/13
- [PATCH 03/26] hw/intc/arm_gicv3_its: Remove redundant ITS_CTLR_ENABLED define, Peter Maydell, 2021/12/11
  - Re: [PATCH 03/26] hw/intc/arm_gicv3_its: Remove redundant ITS_CTLR_ENABLED define, Richard Henderson, 2021/12/12
  - Re: [PATCH 03/26] hw/intc/arm_gicv3_its: Remove redundant ITS_CTLR_ENABLED define, Philippe Mathieu-Daudé, 2021/12/12
  - Re: [PATCH 03/26] hw/intc/arm_gicv3_its: Remove redundant ITS_CTLR_ENABLED define, Alex Bennée, 2021/12/13
- [PATCH 25/26] hw/intc/arm_gicv3_its: Fix return codes in process_mapd(), Peter Maydell, 2021/12/11
  - Re: [PATCH 25/26] hw/intc/arm_gicv3_its: Fix return codes in process_mapd(), Richard Henderson, 2021/12/12

Prev by Date: Re: [PATCH 01/26] hw/intc: clean-up error reporting for failed ITS cmd
Next by Date: Re: [PATCH 03/26] hw/intc/arm_gicv3_its: Remove redundant ITS_CTLR_ENABLED define
Previous by thread: [PATCH 02/26] hw/intc/arm_gicv3_its: Correct off-by-one bounds check on rdbase
Next by thread: Re: [PATCH 02/26] hw/intc/arm_gicv3_its: Correct off-by-one bounds check on rdbase
Index(es):
- Date
- Thread