diff mbox series

kvm: mpic: extend active IRQ sources to 255

Message ID 20191113171208.8509-1-ppandit@redhat.com
State Rejected
Headers show
Series kvm: mpic: extend active IRQ sources to 255 | expand

Commit Message

Prasad Pandit Nov. 13, 2019, 5:12 p.m. UTC 
From: P J P <pjp@fedoraproject.org>

openpic_src_write sets interrupt level 'src->output' masked with
ILR_INTTGT_MASK(=0xFF). It's then used to index 'dst->outputs_active'
array. With NUM_INPUTS=3, it may lead to OOB array access.

Reported-by: Reno Robert <renorobert@gmail.com>
Signed-off-by: P J P <pjp@fedoraproject.org>
---
 arch/powerpc/kvm/mpic.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Paul Mackerras Nov. 14, 2019, 11:53 p.m. UTC | #1 
On Wed, Nov 13, 2019 at 10:42:08PM +0530, P J P wrote:
> From: P J P <pjp@fedoraproject.org>
> 
> openpic_src_write sets interrupt level 'src->output' masked with
> ILR_INTTGT_MASK(=0xFF). It's then used to index 'dst->outputs_active'
> array. With NUM_INPUTS=3, it may lead to OOB array access.
> 
> Reported-by: Reno Robert <renorobert@gmail.com>
> Signed-off-by: P J P <pjp@fedoraproject.org>
> ---
>  arch/powerpc/kvm/mpic.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/arch/powerpc/kvm/mpic.c b/arch/powerpc/kvm/mpic.c
> index fe312c160d97..a5ae884d3891 100644
> --- a/arch/powerpc/kvm/mpic.c
> +++ b/arch/powerpc/kvm/mpic.c
> @@ -103,7 +103,7 @@ static struct fsl_mpic_info fsl_mpic_42 = {
>  #define ILR_INTTGT_INT    0x00
>  #define ILR_INTTGT_CINT   0x01	/* critical */
>  #define ILR_INTTGT_MCP    0x02	/* machine check */
> -#define NUM_OUTPUTS       3
> +#define NUM_OUTPUTS       0xff

I don't think this is the correct fix.  This code is emulating
hardware which can drive up to three interrupt outputs per CPU, not
255.  Instead we need either to prevent src->output from being set to
3 or greater, or else limit its value when it is used.

Paul.
Prasad Pandit Nov. 15, 2019, 6:17 a.m. UTC | #2 
Hello Paul,

+-- On Fri, 15 Nov 2019, Paul Mackerras wrote --+
| Instead we need either to prevent src->output from being set to 3 or 
| greater, or else limit its value when it is used.

I've sent a revised patch v2 for this.

It is not clear if this issue can be misused from a guest running on PPC E500 
platform. Considering E500 is mostly used for SoC/Embedded systems.

...wdyt?
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
diff mbox series

Patch

diff --git a/arch/powerpc/kvm/mpic.c b/arch/powerpc/kvm/mpic.c
index fe312c160d97..a5ae884d3891 100644
--- a/arch/powerpc/kvm/mpic.c
+++ b/arch/powerpc/kvm/mpic.c
@@ -103,7 +103,7 @@  static struct fsl_mpic_info fsl_mpic_42 = {
 #define ILR_INTTGT_INT    0x00
 #define ILR_INTTGT_CINT   0x01	/* critical */
 #define ILR_INTTGT_MCP    0x02	/* machine check */
-#define NUM_OUTPUTS       3
+#define NUM_OUTPUTS       0xff
 
 #define MSIIR_OFFSET       0x140
 #define MSIIR_SRS_SHIFT    29