From nobody Wed Apr 16 14:12:15 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=linaro.org ARC-Seal: i=1; a=rsa-sha256; t=1641576265; cv=none; d=zohomail.com; s=zohoarc; b=cxrXKB+kQcklvejYPEAmvZhaA9HvS7BLc4L3RH8wW/VE4KyuE90ckdIOdTzTQvpQ4K1Lsoj4/2CPoKddw0knkqdAX8HVrOLeEHEVXb+T5lJmYfgf1fzO7stHsTFxYfNRyDxeCdKZVVZFGrECf9nC+jMSxulRX5Y3oUs0TGQUpLQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1641576265; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=Q5OaLs830Ox8Bfylb1X2zHy5rJRr7MHpRwjdBpXLrtw=; b=fpyTPNvLf0FeCBmegUqHOKTVxvL5Nt6WvECw4mnZ+CEYEcJWupByEkHOnnmIoCjo6+xRHsltg0A/o4IJ9dQckHVVntPL0FupRYOMhlgyEUsGiPCSd9M9O01OclUHkeXkj7+FuKrhN7r5w4cO3AV0CZ1Vrdh9W/h00ZAZyo2+sRM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1641576265017587.637619690609; Fri, 7 Jan 2022 09:24:25 -0800 (PST) Received: from localhost ([::1]:43500 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1n5syV-0007oA-Ia for importer@patchew.org; Fri, 07 Jan 2022 12:24:23 -0500 Received: from eggs.gnu.org ([209.51.188.92]:49012) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1n5sw4-00056g-Vx for qemu-devel@nongnu.org; Fri, 07 Jan 2022 12:21:53 -0500 Received: from [2a00:1450:4864:20::331] (port=44640 helo=mail-wm1-x331.google.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1n5sw2-0007tL-Ib for qemu-devel@nongnu.org; Fri, 07 Jan 2022 12:21:52 -0500 Received: by mail-wm1-x331.google.com with SMTP id f189-20020a1c1fc6000000b00347ac5ccf6cso1248150wmf.3 for ; Fri, 07 Jan 2022 09:21:50 -0800 (PST) Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by smtp.gmail.com with ESMTPSA id i6sm6060219wrf.79.2022.01.07.09.21.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 07 Jan 2022 09:21:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=Q5OaLs830Ox8Bfylb1X2zHy5rJRr7MHpRwjdBpXLrtw=; b=m5Yn572xDBOFXtoMV4O40kBs4+7nVZywJ7KHoFoqcLmqtiiWs3Im0hNTEfr7ar3HN9 8QQeQaHzaQrLi1JrxU3DPUEMu98wgtNLlI+dFZhyqCo21K5SJEEtBU7S+/BFt5aTokDs 4yK7lqjXiJ3mJ/FuYgwJSLVYzStLJkNW8TikbM+ORGsVnDlrjhIXbDgnt1TF+sm+fOxP 1kiabEHux0C+fgnZhSDeGa2WM0bQRO7XCgb6/I8EbLprdceCCd7ReDxDrtsvDQC376UO iOCzPblz7lQdClElDmJWWJsqYNLeEeDzUPf7fT4MzWedX8J1qhrkqdZzNsYVy7Ok5Yl3 gzzA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Q5OaLs830Ox8Bfylb1X2zHy5rJRr7MHpRwjdBpXLrtw=; b=1EMw7yvoVhokvfPqjm7S8D/83uHR+jEQwB/EVLgKQ+fHmCOCbTpujVcY6S1WRwyXRl r6/977OERB6fOOglBX1X3sqCTQYgz7BqtSkp/77WuDGch9ifG/W/JXLeqEuyottX54Yr YKrwZZNO+N2KUsuAo/RlcV0P+hTkxuAbS31lV9wNCNq52f2Ns6+6GyYzZj+R+pA3ySi5 IMDLtU36wIPiODUD4lVQEGLhdkSqeV/Ri8JC+GNLl7dFZPALLKamutOf2LZ+WJ5OIJuH FAEXh+XzPtGGmV72Q6aHR/ftPBcGL9f6gs3hVYu3PkQLBh0opcjfM2aMZNLcLJWkRhe1 Zhbg== X-Gm-Message-State: AOAM533igOSkkBfFkhExfgf3WCAYiSFFvouheW4NC00O0GxG5cWqNzfU HeGFG3rs6L8dMgfAgdKg47RMHGeRxI0qMg== X-Google-Smtp-Source: ABdhPJwyV5GIWZavHC49s5TBaJQU+X9NFwVy87b0YJjT4HICIcuklFnQuUk1u6J98Sv1zWrraKLYxQ== X-Received: by 2002:a05:600c:4e88:: with SMTP id f8mr11938696wmq.45.1641576109361; Fri, 07 Jan 2022 09:21:49 -0800 (PST) From: Peter Maydell To: qemu-devel@nongnu.org Subject: [PULL 08/19] hw/intc/arm_gicv3_its: Correct setting of TableDesc entry_sz Date: Fri, 7 Jan 2022 17:21:31 +0000 Message-Id: <20220107172142.2651911-9-peter.maydell@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220107172142.2651911-1-peter.maydell@linaro.org> References: <20220107172142.2651911-1-peter.maydell@linaro.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Host-Lookup-Failed: Reverse DNS lookup failed for 2a00:1450:4864:20::331 (failed) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::331; envelope-from=peter.maydell@linaro.org; helo=mail-wm1-x331.google.com X-Spam_score_int: -12 X-Spam_score: -1.3 X-Spam_bar: - X-Spam_report: (-1.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @linaro.org) X-ZM-MESSAGEID: 1641576266619100001 We set the TableDesc entry_sz field from the appropriate GITS_BASER.ENTRYSIZE field. That ID register field specifies the number of bytes per table entry minus one. However when we use td->entry_sz we assume it to be the number of bytes per table entry (for instance we calculate the number of entries in a page by dividing the page size by the entry size). The effects of this bug are: * we miscalculate the maximum number of entries in the table, so our checks on guest index values are wrong (too lax) * when looking up an entry in the second level of an indirect table, we calculate an incorrect index into the L2 table. Because we make the same incorrect calculation on both reads and writes of the L2 table, the guest won't notice unless it's unlucky enough to use an index value that causes us to index off the end of the L2 table page and cause guest memory corruption in whatever follows Signed-off-by: Peter Maydell Reviewed-by: Alex Benn=C3=A9e Reviewed-by: Richard Henderson --- hw/intc/arm_gicv3_its.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c index 84808b1e298..88f4d730999 100644 --- a/hw/intc/arm_gicv3_its.c +++ b/hw/intc/arm_gicv3_its.c @@ -829,7 +829,7 @@ static void extract_table_params(GICv3ITSState *s) } td->page_sz =3D page_sz; td->indirect =3D FIELD_EX64(value, GITS_BASER, INDIRECT); - td->entry_sz =3D FIELD_EX64(value, GITS_BASER, ENTRYSIZE); + td->entry_sz =3D FIELD_EX64(value, GITS_BASER, ENTRYSIZE) + 1; td->base_addr =3D baser_base_addr(value, page_sz); if (!td->indirect) { td->max_entries =3D (num_pages * page_sz) / td->entry_sz; --=20 2.25.1