All of lore.kernel.org
 help / color / mirror / Atom feed
From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-devel@nongnu.org
Subject: [PULL 25/38] hw/intc/arm_gicv3_its: Fix event ID bounds checks
Date: Thu, 20 Jan 2022 12:36:17 +0000	[thread overview]
Message-ID: <20220120123630.267975-26-peter.maydell@linaro.org> (raw)
In-Reply-To: <20220120123630.267975-1-peter.maydell@linaro.org>

In process_its_cmd() and process_mapti() we must check the
event ID against a limit defined by the size field in the DTE,
which specifies the number of ID bits minus one. Convert
this code to our num_foo convention:
 * change the variable names
 * use uint64_t and 1ULL when calculating the number
   of valid event IDs, because DTE.SIZE is 5 bits and
   so num_eventids may be up to 2^32
 * fix the off-by-one error in the comparison

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20220111171048.3545974-2-peter.maydell@linaro.org
---
 hw/intc/arm_gicv3_its.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
index fa3cdb57554..6d11fa02040 100644
--- a/hw/intc/arm_gicv3_its.c
+++ b/hw/intc/arm_gicv3_its.c
@@ -225,7 +225,7 @@ static bool process_its_cmd(GICv3ITSState *s, uint64_t value, uint32_t offset,
     MemTxResult res = MEMTX_OK;
     bool dte_valid;
     uint64_t dte = 0;
-    uint32_t max_eventid;
+    uint64_t num_eventids;
     uint16_t icid = 0;
     uint32_t pIntid = 0;
     bool ite_valid = false;
@@ -258,7 +258,7 @@ static bool process_its_cmd(GICv3ITSState *s, uint64_t value, uint32_t offset,
     dte_valid = FIELD_EX64(dte, DTE, VALID);
 
     if (dte_valid) {
-        max_eventid = 1UL << (FIELD_EX64(dte, DTE, SIZE) + 1);
+        num_eventids = 1ULL << (FIELD_EX64(dte, DTE, SIZE) + 1);
 
         ite_valid = get_ite(s, eventid, dte, &icid, &pIntid, &res);
 
@@ -299,10 +299,11 @@ static bool process_its_cmd(GICv3ITSState *s, uint64_t value, uint32_t offset,
                       dte_valid ? "valid" : "invalid",
                       ite_valid ? "valid" : "invalid",
                       cte_valid ? "valid" : "invalid");
-    } else if (eventid > max_eventid) {
+    } else if (eventid >= num_eventids) {
         qemu_log_mask(LOG_GUEST_ERROR,
-                      "%s: invalid command attributes: eventid %d > %d\n",
-                      __func__, eventid, max_eventid);
+                      "%s: invalid command attributes: eventid %d >= %"
+                      PRId64 "\n",
+                      __func__, eventid, num_eventids);
     } else {
         /*
          * Current implementation only supports rdbase == procnum
@@ -336,7 +337,8 @@ static bool process_mapti(GICv3ITSState *s, uint64_t value, uint32_t offset,
     AddressSpace *as = &s->gicv3->dma_as;
     uint32_t devid, eventid;
     uint32_t pIntid = 0;
-    uint32_t max_eventid, max_Intid;
+    uint64_t num_eventids;
+    uint32_t max_Intid;
     bool dte_valid;
     MemTxResult res = MEMTX_OK;
     uint16_t icid = 0;
@@ -376,11 +378,11 @@ static bool process_mapti(GICv3ITSState *s, uint64_t value, uint32_t offset,
         return result;
     }
     dte_valid = FIELD_EX64(dte, DTE, VALID);
-    max_eventid = 1UL << (FIELD_EX64(dte, DTE, SIZE) + 1);
+    num_eventids = 1ULL << (FIELD_EX64(dte, DTE, SIZE) + 1);
     max_Intid = (1ULL << (GICD_TYPER_IDBITS + 1)) - 1;
 
     if ((devid >= s->dt.num_ids) || (icid >= s->ct.num_ids)
-            || !dte_valid || (eventid > max_eventid) ||
+            || !dte_valid || (eventid >= num_eventids) ||
             (((pIntid < GICV3_LPI_INTID_START) || (pIntid > max_Intid)) &&
              (pIntid != INTID_SPURIOUS))) {
         qemu_log_mask(LOG_GUEST_ERROR,
-- 
2.25.1



  parent reply	other threads:[~2022-01-20 18:34 UTC|newest]

Thread overview: 54+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-20 12:35 [PULL 00/38] target-arm queue Peter Maydell
2022-01-20 12:35 ` [PULL 01/38] hw/arm/virt: KVM: Enable PAuth when supported by the host Peter Maydell
2022-01-20 12:35 ` [PULL 02/38] hw: Move MARVELL_88W8618 Kconfig from audio/ to arm/ Peter Maydell
2022-01-20 12:35 ` [PULL 03/38] hw/arm/musicpal: Fix coding style of code related to MV88W8618 device Peter Maydell
2022-01-20 12:35 ` [PULL 04/38] hw/net: Move MV88W8618 network device out of hw/arm/ directory Peter Maydell
2022-01-20 12:35 ` [PULL 05/38] hw/arm/virt: Support CPU cluster on ARM virt machine Peter Maydell
2022-01-20 12:35 ` [PULL 06/38] hw/arm/virt: Support cluster level in DT cpu-map Peter Maydell
2022-01-20 12:35 ` [PULL 07/38] hw/acpi/aml-build: Improve scalability of PPTT generation Peter Maydell
2022-01-20 12:36 ` [PULL 08/38] tests/acpi/bios-tables-test: Allow changes to virt/PPTT file Peter Maydell
2022-01-20 12:36 ` [PULL 09/38] hw/acpi/aml-build: Support cluster level in PPTT generation Peter Maydell
2022-01-20 12:36 ` [PULL 10/38] tests/acpi/bios-table-test: Update expected virt/PPTT file Peter Maydell
2022-01-20 12:36 ` [PULL 11/38] docs/can: convert to restructuredText Peter Maydell
2022-01-20 12:36 ` [PULL 12/38] virtio-mem: Correct default THP size for ARM64 Peter Maydell
2022-01-20 12:36 ` [PULL 13/38] hw/arm/virt: Support for virtio-mem-pci Peter Maydell
2022-01-20 12:36 ` [PULL 14/38] hw/intc/arm_gic: Implement read of GICC_IIDR Peter Maydell
2022-01-20 12:36 ` [PULL 15/38] hw/intc/arm_gic: Allow reset of the running priority Peter Maydell
2022-01-20 12:36 ` [PULL 16/38] hw/arm/virt: Add a control for the the highmem PCIe MMIO Peter Maydell
2022-01-20 12:36 ` [PULL 17/38] hw/arm/virt: Add a control for the the highmem redistributors Peter Maydell
2022-01-20 12:36 ` [PULL 18/38] hw/arm/virt: Honor highmem setting when computing the memory map Peter Maydell
2022-02-13  5:05   ` Akihiko Odaki
2022-02-13  5:05     ` Akihiko Odaki
2022-02-13  5:05     ` Akihiko Odaki
2022-02-13 10:22     ` Marc Zyngier
2022-02-13 10:22       ` Marc Zyngier
2022-02-13 10:22       ` Marc Zyngier
2022-02-13 10:45       ` Peter Maydell
2022-02-13 10:45         ` Peter Maydell
2022-02-13 10:45         ` Peter Maydell
2022-02-13 11:38         ` Akihiko Odaki
2022-02-13 11:38           ` Akihiko Odaki
2022-02-13 11:38           ` Akihiko Odaki
2022-02-13 12:57           ` Peter Maydell
2022-02-13 12:57             ` Peter Maydell
2022-02-13 12:57             ` Peter Maydell
2022-01-20 12:36 ` [PULL 19/38] hw/arm/virt: Use the PA range to compute " Peter Maydell
2022-01-20 12:36 ` [PULL 20/38] hw/arm/virt: Disable highmem devices that don't fit in the PA range Peter Maydell
2022-01-20 12:36 ` [PULL 21/38] hw/arm/virt: Drop superfluous checks against highmem Peter Maydell
2022-01-20 12:36 ` [PULL 22/38] hw/arm: kudo add lm75s behind bus 1 switch at 75 Peter Maydell
2022-01-20 12:36 ` [PULL 23/38] hw/misc/aspeed_i3c.c: Introduce a dummy AST2600 I3C model Peter Maydell
2022-01-20 12:36 ` [PULL 24/38] hw/arm/aspeed: Add the i3c device to the AST2600 SoC Peter Maydell
2022-01-20 12:36 ` Peter Maydell [this message]
2022-01-20 12:36 ` [PULL 26/38] hw/intc/arm_gicv3_its: Convert int ID check to num_intids convention Peter Maydell
2022-01-20 12:36 ` [PULL 27/38] hw/intc/arm_gicv3_its: Fix handling of process_its_cmd() return value Peter Maydell
2022-01-20 12:36 ` [PULL 28/38] hw/intc/arm_gicv3_its: Don't use data if reading command failed Peter Maydell
2022-01-20 12:36 ` [PULL 29/38] hw/intc/arm_gicv3_its: Use enum for return value of process_* functions Peter Maydell
2022-01-20 12:36 ` [PULL 30/38] hw/intc/arm_gicv3_its: Fix return codes in process_its_cmd() Peter Maydell
2022-01-20 12:36 ` [PULL 31/38] hw/intc/arm_gicv3_its: Refactor process_its_cmd() to reduce nesting Peter Maydell
2022-01-20 12:36 ` [PULL 32/38] hw/intc/arm_gicv3_its: Fix return codes in process_mapti() Peter Maydell
2022-01-20 12:36 ` [PULL 33/38] hw/intc/arm_gicv3_its: Fix return codes in process_mapc() Peter Maydell
2022-01-20 12:36 ` [PULL 34/38] hw/intc/arm_gicv3_its: Fix return codes in process_mapd() Peter Maydell
2022-01-20 12:36 ` [PULL 35/38] hw/intc/arm_gicv3_its: Factor out "find address of table entry" code Peter Maydell
2022-01-20 12:36 ` [PULL 36/38] hw/intc/arm_gicv3_its: Check indexes before use, not after Peter Maydell
2022-01-20 12:36 ` [PULL 37/38] hw/intc/arm_gicv3_its: Range-check ICID before indexing into collection table Peter Maydell
2022-01-20 12:36 ` [PULL 38/38] hw/intc/arm_gicv3: Check for !MEMTX_OK instead of MEMTX_ERROR Peter Maydell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220120123630.267975-26-peter.maydell@linaro.org \
    --to=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.