Re: [QEMU-SECURITY] [PATCH] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register

From: P J P <pjp@fedoraproject.org>
To: "P J P" <ppandit@redhat.com>,
	"QEMU Security" <qemu-security@nongnu.org>,
	"Philippe Mathieu-Daudé" <f4bug@amsat.org>
Cc: "Edgar E . Iglesias" <edgar.iglesias@xilinx.com>,
	Peter Maydell <peter.maydell@linaro.org>,
	Sai Pavan Boddu <sai.pavan.boddu@xilinx.com>,
	Li Qiang <liq3ea@gmail.com>,
	"qemu-stable@nongnu.org" <qemu-stable@nongnu.org>,
	"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
	Alexander Bulekov <alxndr@bu.edu>,
	"qemu-arm@nongnu.org" <qemu-arm@nongnu.org>,
	Luc Michel <luc.michel@greensocs.com>
Subject: Re: [QEMU-SECURITY] [PATCH] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
Date: Tue, 2 Feb 2021 06:21:57 +0000 (UTC)	[thread overview]
Message-ID: <787280826.1146023.1612246917145@mail.yahoo.com> (raw)
In-Reply-To: <6d29aa57-2e6e-e81d-831f-803d9aae798f@amsat.org>

On Sunday, 31 January, 2021, 08:48:26 pm IST, Philippe Mathieu-Daudé <f4bug@amsat.org> wrote: 
>Forwarding to qemu-security@ to see if this issue is worth a CVE.
>
> | On 1/31/21 11:34 AM, Philippe Mathieu-Daudé wrote:
> | > Per the ARM Generic Interrupt Controller Architecture specification
> | > (document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
> | > not 10:
> | > 
> | >    - Table 4-21 GICD_SGIR bit assignments
> | > 
> | >    The Interrupt ID of the SGI to forward to the specified CPU
> | >    interfaces. The value of this field is the Interrupt ID, in
> | >    the range 0-15, for example a value of 0b0011 specifies
> | >    Interrupt ID 3.
> | > 
> | > diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
> | > index af41e2fb448..75316329516 100644
> | > --- a/hw/intc/arm_gic.c
> | > +++ b/hw/intc/arm_gic.c
> | > @@ -1476,7 +1476,7 @@ static void gic_dist_writel(void *opaque, hwaddr offset,
> | >          int target_cpu;
> | >  
> | >          cpu = gic_get_current_cpu(s);
> | > -        irq = value & 0x3ff;
> | > +        irq = value & 0xf;
> | >          switch ((value >> 24) & 3) {
> | >          case 0:
> | >              mask = (value >> 16) & ALL_CPU_MASK;
> | > 
> | > Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
> | > Buglink: https://bugs.launchpad.net/qemu/+bug/1913917

* Does above patch address both these bugs? For BZ#1913917 'irq' is derived from 'offset' it seems.

        /* Interrupt Configuration.  */                                         
        irq = (offset - 0xc00) * 4;

> | > Correct the irq mask to fix an undefined behavior (which eventually
> | > lead to a heap-buffer-overflow, see [Buglink]):
> | > 
> | >    $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
> | >    [I 1612088147.116987] OPENED
> | >  [R +0.278293] writel 0x8000f00 0xff4affb0
> | >  ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
> | >  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
> | > 
> | > Cc: qemu-stable@nongnu.org
> | > Fixes: 9ee6e8bb853 ("ARMv7 support.")
> |
> | > ---
> | > Isnt it worth a CVE to help distributions track backports?
> | > ---

Thank you for reporting this issue. Will process further.

Thank you.
---
  -P J P
http://feedmug.com