From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-devel@nongnu.org
Subject: [PULL 08/19] hw/intc/arm_gicv3_its: Correct setting of TableDesc entry_sz
Date: Fri, 7 Jan 2022 17:21:31 +0000 [thread overview]
Message-ID: <20220107172142.2651911-9-peter.maydell@linaro.org> (raw)
In-Reply-To: <20220107172142.2651911-1-peter.maydell@linaro.org>
We set the TableDesc entry_sz field from the appropriate
GITS_BASER.ENTRYSIZE field. That ID register field specifies the
number of bytes per table entry minus one. However when we use
td->entry_sz we assume it to be the number of bytes per table entry
(for instance we calculate the number of entries in a page by
dividing the page size by the entry size).
The effects of this bug are:
* we miscalculate the maximum number of entries in the table,
so our checks on guest index values are wrong (too lax)
* when looking up an entry in the second level of an indirect
table, we calculate an incorrect index into the L2 table.
Because we make the same incorrect calculation on both
reads and writes of the L2 table, the guest won't notice
unless it's unlucky enough to use an index value that
causes us to index off the end of the L2 table page and
cause guest memory corruption in whatever follows
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
---
hw/intc/arm_gicv3_its.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
index 84808b1e298..88f4d730999 100644
--- a/hw/intc/arm_gicv3_its.c
+++ b/hw/intc/arm_gicv3_its.c
@@ -829,7 +829,7 @@ static void extract_table_params(GICv3ITSState *s)
}
td->page_sz = page_sz;
td->indirect = FIELD_EX64(value, GITS_BASER, INDIRECT);
- td->entry_sz = FIELD_EX64(value, GITS_BASER, ENTRYSIZE);
+ td->entry_sz = FIELD_EX64(value, GITS_BASER, ENTRYSIZE) + 1;
td->base_addr = baser_base_addr(value, page_sz);
if (!td->indirect) {
td->max_entries = (num_pages * page_sz) / td->entry_sz;
--
2.25.1
next prev parent reply other threads:[~2022-01-07 17:24 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-07 17:21 [PULL 00/19] target-arm queue Peter Maydell
2022-01-07 17:21 ` [PULL 01/19] Add dummy Aspeed AST2600 Display Port MCU (DPMCU) Peter Maydell
2022-01-07 17:21 ` [PULL 02/19] target/arm: Add missing FEAT_TLBIOS instructions Peter Maydell
2022-01-07 17:21 ` [PULL 03/19] hw/intc/arm_gicv3_its: Correct off-by-one bounds check on rdbase Peter Maydell
2022-01-07 17:21 ` [PULL 04/19] hw/intc/arm_gicv3_its: Remove redundant ITS_CTLR_ENABLED define Peter Maydell
2022-01-07 17:21 ` [PULL 05/19] hw/intc/arm_gicv3_its: Remove maxids union from TableDesc Peter Maydell
2022-01-07 17:21 ` [PULL 06/19] hw/intc/arm_gicv3_its: Don't return early in extract_table_params() loop Peter Maydell
2022-01-07 17:21 ` [PULL 07/19] hw/intc/arm_gicv3_its: Reduce code duplication in extract_table_params() Peter Maydell
2022-01-07 17:21 ` Peter Maydell [this message]
2022-01-07 17:21 ` [PULL 09/19] hw/intc/arm_gicv3_its: Don't misuse GITS_TYPE_PHYSICAL define Peter Maydell
2022-01-07 17:21 ` [PULL 10/19] hw/intc/arm_gicv3_its: Correct handling of MAPI Peter Maydell
2022-01-07 17:21 ` [PULL 11/19] hw/intc/arm_gicv3_its: Use FIELD macros for DTEs Peter Maydell
2022-01-07 17:21 ` [PULL 12/19] hw/intc/arm_gicv3_its: Correct comment about CTE RDBase field size Peter Maydell
2022-01-07 17:21 ` [PULL 13/19] hw/intc/arm_gicv3_its: Use FIELD macros for CTEs Peter Maydell
2022-01-07 17:21 ` [PULL 14/19] hw/intc/arm_gicv3_its: Fix various off-by-one errors Peter Maydell
2022-01-07 17:21 ` [PULL 15/19] hw/intc/arm_gicv3_its: Rename max_l2_entries to num_l2_entries Peter Maydell
2022-01-07 17:21 ` [PULL 16/19] hw/arm: Add kudo i2c eeproms Peter Maydell
2022-01-07 17:21 ` [PULL 17/19] hw/arm: attach MMC to kudo-bmc Peter Maydell
2022-01-07 17:21 ` [PULL 18/19] hw/arm: add i2c muxes " Peter Maydell
2022-01-07 17:21 ` [PULL 19/19] hw/arm: kudo add lm75s on bus 13 Peter Maydell
2022-01-07 21:17 ` [PULL 00/19] target-arm queue Richard Henderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220107172142.2651911-9-peter.maydell@linaro.org \
--to=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.