From nobody Mon Feb 9 13:07:55 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of _spf.google.com designates 209.85.221.52 as permitted sender) client-ip=209.85.221.52; envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wr1-f52.google.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.221.52 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1612089246; cv=none; d=zohomail.com; s=zohoarc; b=HPIByAampCpgn0H9jxR7h9zLkB4tYYGnKemH8K0NdhLuuLMGz6OVFkELUkzj56IpxMcLfxLd62nP2+cZMXUofwWmGSOg1Wy/8Val03tKfnkUlJMpPQQ71wpwhJTrqYz63DJIaGpYuFXvI9NJes+M8aw9Zi8w7CpxqbLRQexF8c4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1612089246; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:MIME-Version:Message-ID:Sender:Subject:To; bh=TlmiqcRxjsssX02CFLK39hXDZo97/1WckvKX+iMFcz0=; b=TMaSfaXDPjTreyJVTUrRSdiJhycv/k/zmXam2SmaOJZVovV06juJhaMvbvIAONR9WFIcGNbojCeJrV454HGBVXkXkWDaTFDuqMZkJNtkfIPS7/3KAueMEsnG+iJWDqVmAnUvKN+r+06YK7i72xHI8JFHktn/1tuekaQyXFOaeFg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.221.52 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) by mx.zohomail.com with SMTPS id 1612089246452589.1994713679944; Sun, 31 Jan 2021 02:34:06 -0800 (PST) Received: by mail-wr1-f52.google.com with SMTP id g10so13392659wrx.1 for ; Sun, 31 Jan 2021 02:34:05 -0800 (PST) Return-Path: Return-Path: Received: from localhost.localdomain (7.red-83-57-171.dynamicip.rima-tde.net. [83.57.171.7]) by smtp.gmail.com with ESMTPSA id z185sm19143322wmb.0.2021.01.31.02.34.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 31 Jan 2021 02:34:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=TlmiqcRxjsssX02CFLK39hXDZo97/1WckvKX+iMFcz0=; b=kSTX42T1U/H9fd10+d/dkvU1dXVdNY0QUyhraMC9ZGsACTJcdhvGup+5c/9cOesDIQ J7FzvWKcXme9bxYM9wL9iQoN+jvqgF9TG1E7+MMPLATDFm1iQLyUK/BbX9h7exHeKIzc FNcRyjVBPnIQDrBKvvpyGrE81WUzN97AwJN5vuAkc1kxd9oxy1PumKycrS+hPh3NHESU AbmZTOynGsCLGX8F4kYiV2fnY0dzsc1Dn4YE5xwwK6rn42CGO/tYVghoGQk+3ql5vOGV 76O1T6vysOemodgGBII/aTeb9RPE7urJUWX7U3d9TtMWgI7DhflvwNCkKI1j+hMDlvAL x28Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :mime-version:content-transfer-encoding; bh=TlmiqcRxjsssX02CFLK39hXDZo97/1WckvKX+iMFcz0=; b=HXBYxHH8URPdMp8V3P5I73p2z3ee9fg93IEIHsQK76B6hUdXN/IdrJYRnTp2Beopgq mD+7kmksDBPiJlp/qCPWkPQlB74jGZavrtxVfutPgvJUvnf8UmszmbL59oED5x2KBmsV ZSX97refrgTq7PsdTv3LT//f0GrsSAH2i28W0DKnh5ua6DejAVOJfDdNEqJfywwX2RKr cdxad5fRXrmN9Ab3/gXUvhiCN/uLgZYiyc/gjGZospBH10fH/LDUH9SePlBWLnM5R/8V K8RSqhPAoBVGTlvFx1OQUYBrkca96AFzVMPzBljzdw0f1mps/QD1iBUTY7uGSOYQ8SwH xu4Q== X-Gm-Message-State: AOAM5310NpsiT35SEgiJop5UIu5sg7vb1HlK3XaQwHfT8T1sXCS0Wv5j W8Vdj7JVBMaC9g7tMf4Qp7o= X-Google-Smtp-Source: ABdhPJwNdu6avs5DDRRIsR1uCCk31tFyCa0LFR40Mdyrio5YaoF8jLmFA3JWLnMy2jhYhBoQUegTTw== X-Received: by 2002:a5d:4b0b:: with SMTP id v11mr12861857wrq.226.1612089244724; Sun, 31 Jan 2021 02:34:04 -0800 (PST) Sender: =?UTF-8?Q?Philippe_Mathieu=2DDaud=C3=A9?= From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Li Qiang , Peter Maydell , Darren Kenny , qemu-arm@nongnu.org, Luc Michel , "Edgar E . Iglesias" , Prasad J Pandit , Sai Pavan Boddu , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-stable@nongnu.org, Alexander Bulekov Subject: [PATCH] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register Date: Sun, 31 Jan 2021 11:34:01 +0100 Message-Id: <20210131103401.217160-1-f4bug@amsat.org> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @gmail.com) Per the ARM Generic Interrupt Controller Architecture specification (document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit, not 10: - 4.3 Distributor register descriptions - 4.3.15 Software Generated Interrupt Register, GICD_SG - Table 4-21 GICD_SGIR bit assignments The Interrupt ID of the SGI to forward to the specified CPU interfaces. The value of this field is the Interrupt ID, in the range 0-15, for example a value of 0b0011 specifies Interrupt ID 3. Correct the irq mask to fix an undefined behavior (which eventually lead to a heap-buffer-overflow, see [Buglink]): $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel= =3Dqtest -qtest stdio [I 1612088147.116987] OPENED [R +0.278293] writel 0x8000f00 0xff4affb0 ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for = type 'uint8_t [16][8]' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gi= c.c:1498:13 Cc: qemu-stable@nongnu.org Fixes: 9ee6e8bb853 ("ARMv7 support.") Buglink: https://bugs.launchpad.net/qemu/+bug/1913916 Reported-by: Alexander Bulekov Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- Isnt it worth a CVE to help distributions track backports? --- hw/intc/arm_gic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c index af41e2fb448..75316329516 100644 --- a/hw/intc/arm_gic.c +++ b/hw/intc/arm_gic.c @@ -1476,7 +1476,7 @@ static void gic_dist_writel(void *opaque, hwaddr offs= et, int target_cpu; =20 cpu =3D gic_get_current_cpu(s); - irq =3D value & 0x3ff; + irq =3D value & 0xf; switch ((value >> 24) & 3) { case 0: mask =3D (value >> 16) & ALL_CPU_MASK; --=20 2.26.2