Re: [PATCH 02/26] hw/intc/arm_gicv3_its: Correct off-by-one bounds check

From: Richard Henderson
Subject: Re: [PATCH 02/26] hw/intc/arm_gicv3_its: Correct off-by-one bounds check on rdbase
Date: Sun, 12 Dec 2021 09:32:26 -0800
On 12/11/21 11:11 AM, Peter Maydell wrote:
The checks in the ITS on the rdbase values in guest commands are
off-by-one: they permit the guest to pass us a value equal to
s->gicv3->num_cpu, but the valid values are 0...num_cpu-1.  This
meant the guest could cause us to index off the end of the
s->gicv3->cpu[] array when calling gicv3_redist_process_lpi(), and we
would probably crash.

Fixes: 17fb5e36aabd4b ("hw/intc: GICv3 redistributor ITS processing")
Signed-off-by: Peter Maydell<peter.maydell@linaro.org>
Not a security bug, because only usable with emulation.
  hw/intc/arm_gicv3_its.c | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>


