Re: [PATCH 12/14] hw/intc/arm_gicv3_its: Check table bounds against corr

qemu-arm

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 12/14] hw/intc/arm_gicv3_its: Check table bounds against corr

From:	Richard Henderson
Subject:	Re: [PATCH 12/14] hw/intc/arm_gicv3_its: Check table bounds against correct limit
Date:	Fri, 28 Jan 2022 14:32:37 +1100
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0

On 1/23/22 05:24, Peter Maydell wrote:

Currently when we fill in a TableDesc based on the value the guest
has written to the GITS_BASER<n> register, we calculate both:
  * num_entries : the number of entries in the table, constrained
    by the amount of memory the guest has given it
  * num_ids : the number of IDs we support for this table,
    constrained by the implementation choices and the architecture
    (eg DeviceIDs are 16 bits, so num_ids is 1 << 16)

When validating ITS commands, however, we check only num_ids,
thus allowing a broken guest to specify table entries that
index off the end of it. This will only corrupt guest memory,
but the ITS is supposed to reject such commands as invalid.

Instead of calculating both num_entries and num_ids, set
num_entries to the minimum of the two limits, and check that.

Signed-off-by: Peter Maydell<peter.maydell@linaro.org>
---
  include/hw/intc/arm_gicv3_its_common.h |  1 -
  hw/intc/arm_gicv3_its.c                | 18 +++++++++---------
  2 files changed, 9 insertions(+), 10 deletions(-)


Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

r~

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH 07/14] hw/intc/arm_gicv3_its: Sort ITS command list into numeric order, (continued)
- [PATCH 04/14] hw/intc/arm_gicv3_its: Don't clear GITS_CREADR when GITS_CTLR.ENABLED is set, Peter Maydell, 2022/01/22
  - Re: [PATCH 04/14] hw/intc/arm_gicv3_its: Don't clear GITS_CREADR when GITS_CTLR.ENABLED is set, Richard Henderson, 2022/01/27
- [PATCH 10/14] hw/intc/arm_gicv3_its: Provide read accessor for translation_ops, Peter Maydell, 2022/01/22
  - Re: [PATCH 10/14] hw/intc/arm_gicv3_its: Provide read accessor for translation_ops, Philippe Mathieu-Daudé, 2022/01/23
  - Re: [PATCH 10/14] hw/intc/arm_gicv3_its: Provide read accessor for translation_ops, Richard Henderson, 2022/01/27
- [PATCH 11/14] hw/intc/arm_gicv3_its: Make GITS_BASER<n> RAZ/WI for unimplemented registers, Peter Maydell, 2022/01/22
  - Re: [PATCH 11/14] hw/intc/arm_gicv3_its: Make GITS_BASER<n> RAZ/WI for unimplemented registers, Richard Henderson, 2022/01/27
- [PATCH 12/14] hw/intc/arm_gicv3_its: Check table bounds against correct limit, Peter Maydell, 2022/01/22
  - Re: [PATCH 12/14] hw/intc/arm_gicv3_its: Check table bounds against correct limit, Richard Henderson <=
- [PATCH 14/14] hw/intc/arm_gicv3_its: Implement MOVI, Peter Maydell, 2022/01/22
  - Re: [PATCH 14/14] hw/intc/arm_gicv3_its: Implement MOVI, Richard Henderson, 2022/01/27
- [PATCH 03/14] hw/intc/arm_gicv3: Initialise dma_as in GIC, not ITS, Peter Maydell, 2022/01/22
  - Re: [PATCH 03/14] hw/intc/arm_gicv3: Initialise dma_as in GIC, not ITS, Richard Henderson, 2022/01/27

Prev by Date: Re: [PATCH 11/14] hw/intc/arm_gicv3_its: Make GITS_BASER<n> RAZ/WI for unimplemented registers
Next by Date: Re: [PATCH 13/14] hw/intc/arm_gicv3_its: Implement MOVALL
Previous by thread: [PATCH 12/14] hw/intc/arm_gicv3_its: Check table bounds against correct limit
Next by thread: [PATCH 14/14] hw/intc/arm_gicv3_its: Implement MOVI
Index(es):
- Date
- Thread