[v1] As reported in qemu-project/qemu#3324

[PATCH] As reported in qemu-project/qemu#3324

Zexiang Zhang posted 1 patch 1 week ago

Diff against v1
Download mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20260326152557.344808-1-chan9yan9@gmail.com

Maintainers: Nicholas Piggin <npiggin@gmail.com>, Harsh Prateek Bora <harshpb@linux.ibm.com>

There is a newer version of this series

hw/intc/xics.c | 7 +++++++
1 file changed, 7 insertions(+)

Expand all Fold all

[PATCH] As reported in qemu-project/qemu#3324

Posted by Zexiang Zhang 1 week ago

From: kiki <Chan9Yan9@gmail.com>

A malformed IVE value can result in an invalid server field being
passed to icp_irq(). The function assumes the server id is valid and
may access invalid state otherwise, potentially leading to a crash.

Fix this by validating the server id before using it and ignoring
invalid values.

Reported-by: Zexiang Zhang <chan9yan9@gmail.com>
Signed-off-by: Zexiang Zhang <chan9yan9@gmail.com>
---
 hw/intc/xics.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/hw/intc/xics.c b/hw/intc/xics.c
index 1d40c4386d..25c7b0c8a5 100644
--- a/hw/intc/xics.c
+++ b/hw/intc/xics.c
@@ -222,6 +222,13 @@ void icp_irq(ICSState *ics, int server, int nr, uint8_t priority)
 
     trace_xics_icp_irq(server, nr, priority);
 
+    if (!icp) {
+        qemu_log_mask(LOG_GUEST_ERROR, "XICS: invalid server %d for IRQ 0x%x\n",
+                      server, nr);
+        ics_reject(ics, nr);
+        return;
+    }
+
     if ((priority >= CPPR(icp))
         || (XISR(icp) && (icp->pending_priority <= priority))) {
         ics_reject(ics, nr);
-- 
2.34.1