{"id":1585793,"url":"http://patchwork.ozlabs.org/api/patches/1585793/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20220128153009.2467560-29-peter.maydell@linaro.org/","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20220128153009.2467560-29-peter.maydell@linaro.org>","list_archive_url":null,"date":"2022-01-28T15:30:05","name":"[PULL,28/32] hw/intc/arm_gicv3_its: Check table bounds against correct limit","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"89295810e9fe0bd58d903bf0de4c19f8b5b9fa91","submitter":{"id":5111,"url":"http://patchwork.ozlabs.org/api/people/5111/?format=json","name":"Peter Maydell","email":"peter.maydell@linaro.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20220128153009.2467560-29-peter.maydell@linaro.org/mbox/","series":[{"id":283405,"url":"http://patchwork.ozlabs.org/api/series/283405/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/list/?series=283405","date":"2022-01-28T15:29:53","name":"[PULL,01/32] Update copyright dates to 2022","version":1,"mbox":"http://patchwork.ozlabs.org/series/283405/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/1585793/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/1585793/checks/","tags":{},"related":[],"headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["bilbo.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256\n header.s=google header.b=hvP1BxRH;\n\tdkim-atps=neutral","ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=<UNKNOWN>)"],"Received":["from lists.gnu.org (lists.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby bilbo.ozlabs.org (Postfix) with ESMTPS id 4Jljby231Xz9t3b\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 29 Jan 2022 03:30:04 +1100 (AEDT)","from localhost ([::1]:53790 helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)\n\tid 1nDU8O-0007Cm-Ru\n\tfor incoming@patchwork.ozlabs.org; Fri, 28 Jan 2022 11:30:00 -0500","from eggs.gnu.org ([209.51.188.92]:58078)\n by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <peter.maydell@linaro.org>)\n id 1nDTDN-0002G0-W9\n for qemu-devel@nongnu.org; Fri, 28 Jan 2022 10:31:06 -0500","from [2a00:1450:4864:20::436] (port=45774\n helo=mail-wr1-x436.google.com)\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from <peter.maydell@linaro.org>)\n id 1nDTDK-0006Qx-Rw\n for qemu-devel@nongnu.org; Fri, 28 Jan 2022 10:31:05 -0500","by mail-wr1-x436.google.com with SMTP id m14so11326644wrg.12\n for <qemu-devel@nongnu.org>; Fri, 28 Jan 2022 07:30:40 -0800 (PST)","from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2])\n by smtp.gmail.com with ESMTPSA id j3sm4749485wrb.57.2022.01.28.07.30.39\n for <qemu-devel@nongnu.org>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Fri, 28 Jan 2022 07:30:39 -0800 (PST)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;\n h=from:to:subject:date:message-id:in-reply-to:references:mime-version\n :content-transfer-encoding;\n bh=nt57404GQCCDte9pU9fRtCALvozcsS/OoqOX4/fyBcM=;\n b=hvP1BxRHrVVGIC+2SZ/e041kduzkcI+ouJCDxTVLcVJBWZOzy5spcDjh19lAnzg4Uf\n AjguVEmYS0IasvYwSsb6tmWPi0AHJeAhFg1k7OtobyuyizsxLPf5SPTJ8ZrQSz70G2Tm\n spG2MDUEl69VzfGuC42emtQG55g8O7fRmgRwsX1QvpWWMp20NKw36y6raWdrjYZzvd67\n Vg4tlwVKIsU8nJnxTjdpj4/0ZbTXX0Rv1XKa/eO6t9sW+KgaI9HlrDLYmTmjXbytU65r\n +I9+5DQgLOnvbP0N4atrnXPNLGnJhW1g44s3HyApFhn+liFbAagLdhi5+mEE6634fSoI\n 1tJg==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20210112;\n h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to\n :references:mime-version:content-transfer-encoding;\n bh=nt57404GQCCDte9pU9fRtCALvozcsS/OoqOX4/fyBcM=;\n b=hD9BHdv3Y1cxPgc6ysq6nnkv6U2RemerkGvaZHFoz8GadLHC9tCbJ7v74Z0e54amOS\n 2rNt6v6FWLqnW4QQ7aNy8yF9QipNXE9RT5SFS1yCKG7OPMKRhhYdR4+QNoEBVwSk6jJh\n ntD2dEpDA6SBRNzxly1hUT4tvX1u7gEvGLGtIXwb1nks4x8CZEM+XUxEsHCbNraOAhxV\n iLK1McKcshNhRRFwzxtK7iEoQfPgAJcZ86ppr0u93vm41BZvGLzPm0/0Z9ZPFvg+Ih48\n 5hCOvU/xChfCsEVTR5tZ99GLVZKmAqeJsvo0tXJK5k553ti/+xnPf+wZNaj4oHsI1VFx\n X09A==","X-Gm-Message-State":"AOAM530QsKxiZj4NYEJEVn7GT4ItzC0YkKEndn1mCgcf/retSxva/Ico\n RDusFSy17DsPLN7iXkA6PZh889cqMMCEQQ==","X-Google-Smtp-Source":"\n ABdhPJzbFduWPRkOSy/ozR19uwdbbh35PrAwseSJyc2sEHNW0j8Otf3UkGXZ0W0I2hMGEybD45bpUw==","X-Received":"by 2002:a05:6000:1448:: with SMTP id\n v8mr7309817wrx.43.1643383840083;\n Fri, 28 Jan 2022 07:30:40 -0800 (PST)","From":"Peter Maydell <peter.maydell@linaro.org>","To":"qemu-devel@nongnu.org","Subject":"[PULL 28/32] hw/intc/arm_gicv3_its: Check table bounds against\n correct limit","Date":"Fri, 28 Jan 2022 15:30:05 +0000","Message-Id":"<20220128153009.2467560-29-peter.maydell@linaro.org>","X-Mailer":"git-send-email 2.25.1","In-Reply-To":"<20220128153009.2467560-1-peter.maydell@linaro.org>","References":"<20220128153009.2467560-1-peter.maydell@linaro.org>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-Host-Lookup-Failed":"Reverse DNS lookup failed for 2a00:1450:4864:20::436\n (failed)","Received-SPF":"pass client-ip=2a00:1450:4864:20::436;\n envelope-from=peter.maydell@linaro.org; helo=mail-wr1-x436.google.com","X-Spam_score_int":"-12","X-Spam_score":"-1.3","X-Spam_bar":"-","X-Spam_report":"(-1.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n PDS_HP_HELO_NORDNS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RDNS_NONE=0.793,\n SPF_HELO_NONE=0.001, SPF_PASS=-0.001,\n T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"<qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<https://lists.nongnu.org/archive/html/qemu-devel>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>"},"content":"Currently when we fill in a TableDesc based on the value the guest\nhas written to the GITS_BASER<n> register, we calculate both:\n * num_entries : the number of entries in the table, constrained\n   by the amount of memory the guest has given it\n * num_ids : the number of IDs we support for this table,\n   constrained by the implementation choices and the architecture\n   (eg DeviceIDs are 16 bits, so num_ids is 1 << 16)\n\nWhen validating ITS commands, however, we check only num_ids,\nthus allowing a broken guest to specify table entries that\nindex off the end of it. This will only corrupt guest memory,\nbut the ITS is supposed to reject such commands as invalid.\n\nInstead of calculating both num_entries and num_ids, set\nnum_entries to the minimum of the two limits, and check that.\n\nSigned-off-by: Peter Maydell <peter.maydell@linaro.org>\nReviewed-by: Richard Henderson <richard.henderson@linaro.org>\nMessage-id: 20220122182444.724087-13-peter.maydell@linaro.org\n---\n include/hw/intc/arm_gicv3_its_common.h |  1 -\n hw/intc/arm_gicv3_its.c                | 18 +++++++++---------\n 2 files changed, 9 insertions(+), 10 deletions(-)","diff":"diff --git a/include/hw/intc/arm_gicv3_its_common.h b/include/hw/intc/arm_gicv3_its_common.h\nindex b32c697207f..3e2ad2dff60 100644\n--- a/include/hw/intc/arm_gicv3_its_common.h\n+++ b/include/hw/intc/arm_gicv3_its_common.h\n@@ -47,7 +47,6 @@ typedef struct {\n     uint16_t entry_sz;\n     uint32_t page_sz;\n     uint32_t num_entries;\n-    uint32_t num_ids;\n     uint64_t base_addr;\n } TableDesc;\n \ndiff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c\nindex 237198845d7..3f2ead45369 100644\n--- a/hw/intc/arm_gicv3_its.c\n+++ b/hw/intc/arm_gicv3_its.c\n@@ -256,10 +256,10 @@ static ItsCmdResult process_its_cmd(GICv3ITSState *s, uint64_t value,\n \n     eventid = (value & EVENTID_MASK);\n \n-    if (devid >= s->dt.num_ids) {\n+    if (devid >= s->dt.num_entries) {\n         qemu_log_mask(LOG_GUEST_ERROR,\n                       \"%s: invalid command attributes: devid %d>=%d\",\n-                      __func__, devid, s->dt.num_ids);\n+                      __func__, devid, s->dt.num_entries);\n         return CMD_CONTINUE;\n     }\n \n@@ -300,7 +300,7 @@ static ItsCmdResult process_its_cmd(GICv3ITSState *s, uint64_t value,\n         return CMD_CONTINUE;\n     }\n \n-    if (icid >= s->ct.num_ids) {\n+    if (icid >= s->ct.num_entries) {\n         qemu_log_mask(LOG_GUEST_ERROR,\n                       \"%s: invalid ICID 0x%x in ITE (table corrupted?)\\n\",\n                       __func__, icid);\n@@ -384,10 +384,10 @@ static ItsCmdResult process_mapti(GICv3ITSState *s, uint64_t value,\n \n     icid = value & ICID_MASK;\n \n-    if (devid >= s->dt.num_ids) {\n+    if (devid >= s->dt.num_entries) {\n         qemu_log_mask(LOG_GUEST_ERROR,\n                       \"%s: invalid command attributes: devid %d>=%d\",\n-                      __func__, devid, s->dt.num_ids);\n+                      __func__, devid, s->dt.num_entries);\n         return CMD_CONTINUE;\n     }\n \n@@ -400,7 +400,7 @@ static ItsCmdResult process_mapti(GICv3ITSState *s, uint64_t value,\n     num_eventids = 1ULL << (FIELD_EX64(dte, DTE, SIZE) + 1);\n     num_intids = 1ULL << (GICD_TYPER_IDBITS + 1);\n \n-    if ((icid >= s->ct.num_ids)\n+    if ((icid >= s->ct.num_entries)\n             || !dte_valid || (eventid >= num_eventids) ||\n             (((pIntid < GICV3_LPI_INTID_START) || (pIntid >= num_intids)) &&\n              (pIntid != INTID_SPURIOUS))) {\n@@ -485,7 +485,7 @@ static ItsCmdResult process_mapc(GICv3ITSState *s, uint32_t offset)\n \n     valid = (value & CMD_FIELD_VALID_MASK);\n \n-    if ((icid >= s->ct.num_ids) || (rdbase >= s->gicv3->num_cpu)) {\n+    if ((icid >= s->ct.num_entries) || (rdbase >= s->gicv3->num_cpu)) {\n         qemu_log_mask(LOG_GUEST_ERROR,\n                       \"ITS MAPC: invalid collection table attributes \"\n                       \"icid %d rdbase %\" PRIu64 \"\\n\",  icid, rdbase);\n@@ -566,7 +566,7 @@ static ItsCmdResult process_mapd(GICv3ITSState *s, uint64_t value,\n \n     valid = (value & CMD_FIELD_VALID_MASK);\n \n-    if ((devid >= s->dt.num_ids) ||\n+    if ((devid >= s->dt.num_entries) ||\n         (size > FIELD_EX64(s->typer, GITS_TYPER, IDBITS))) {\n         qemu_log_mask(LOG_GUEST_ERROR,\n                       \"ITS MAPD: invalid device table attributes \"\n@@ -791,7 +791,7 @@ static void extract_table_params(GICv3ITSState *s)\n                                   L1TABLE_ENTRY_SIZE) *\n                                  (page_sz / td->entry_sz));\n         }\n-        td->num_ids = 1ULL << idbits;\n+        td->num_entries = MIN(td->num_entries, 1ULL << idbits);\n     }\n }\n \n","prefixes":["PULL","28/32"]}