|
From: | Alex Bennée |
Subject: | Re: [PATCH 02/26] hw/intc/arm_gicv3_its: Correct off-by-one bounds check on rdbase |
Date: | Mon, 13 Dec 2021 11:22:49 +0000 |
User-agent: | mu4e 1.7.5; emacs 28.0.90 |
Peter Maydell <peter.maydell@linaro.org> writes: > The checks in the ITS on the rdbase values in guest commands are > off-by-one: they permit the guest to pass us a value equal to > s->gicv3->num_cpu, but the valid values are 0...num_cpu-1. This > meant the guest could cause us to index off the end of the > s->gicv3->cpu[] array when calling gicv3_redist_process_lpi(), and we > would probably crash. > > Cc: qemu-stable@nongnu.org > Fixes: 17fb5e36aabd4b ("hw/intc: GICv3 redistributor ITS processing") > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> -- Alex Bennée
[Prev in Thread] | Current Thread | [Next in Thread] |