hw/intc/xics.c | 8 ++++++++ 1 file changed, 8 insertions(+)
From: kiki <Chan9Yan9@gmail.com>
A malformed IVE value can result in an invalid server field being
passed to icp_irq(). The function assumes the server id is valid and
may access invalid state otherwise, potentially leading to a crash.
Fix this by validating the server id before using it and ignoring
invalid values.
Reported-by: Zexiang Zhang <chan9yan9@gmail.com>
Signed-off-by: Zexiang Zhang <chan9yan9@gmail.com>
Signed-off-by: Gautam Menghani <gautam@linux.ibm.com>
---
v2:
1. Fix build error and subject line
hw/intc/xics.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/hw/intc/xics.c b/hw/intc/xics.c
index c0a252d051..e32984e9fc 100644
--- a/hw/intc/xics.c
+++ b/hw/intc/xics.c
@@ -26,6 +26,7 @@
*/
#include "qemu/osdep.h"
+#include "qemu/log.h"
#include "qapi/error.h"
#include "trace.h"
#include "qemu/timer.h"
@@ -222,6 +223,13 @@ void icp_irq(ICSState *ics, int server, int nr, uint8_t priority)
trace_xics_icp_irq(server, nr, priority);
+ if (!icp) {
+ qemu_log_mask(LOG_GUEST_ERROR, "XICS: invalid server %d for IRQ 0x%x\n",
+ server, nr);
+ ics_reject(ics, nr);
+ return;
+ }
+
if ((priority >= CPPR(icp))
|| (XISR(icp) && (icp->pending_priority <= priority))) {
ics_reject(ics, nr);
--
2.52.0On 28.04.2026 13:36, Gautam Menghani wrote: > From: kiki <Chan9Yan9@gmail.com> > > A malformed IVE value can result in an invalid server field being > passed to icp_irq(). The function assumes the server id is valid and > may access invalid state otherwise, potentially leading to a crash. > > Fix this by validating the server id before using it and ignoring > invalid values. > > Reported-by: Zexiang Zhang <chan9yan9@gmail.com> > Signed-off-by: Zexiang Zhang <chan9yan9@gmail.com> > Signed-off-by: Gautam Menghani <gautam@linux.ibm.com> (https://gitlab.com/qemu-project/qemu/-/work_items/3324) I'm picking this small change to current qemu-stable series. The issue seem to be unimportant, but the fix is simple too. Please let me know if I shouldn't. Thanks, /mjt
Should be fine. Thanks Michael! On Sat, 2 May, 2026, 5:07 pm Michael Tokarev, <mjt@tls.msk.ru> wrote: > On 28.04.2026 13:36, Gautam Menghani wrote: > > From: kiki <Chan9Yan9@gmail.com> > > > > A malformed IVE value can result in an invalid server field being > > passed to icp_irq(). The function assumes the server id is valid and > > may access invalid state otherwise, potentially leading to a crash. > > > > Fix this by validating the server id before using it and ignoring > > invalid values. > > > > Reported-by: Zexiang Zhang <chan9yan9@gmail.com> > > Signed-off-by: Zexiang Zhang <chan9yan9@gmail.com> > > Signed-off-by: Gautam Menghani <gautam@linux.ibm.com> > > (https://gitlab.com/qemu-project/qemu/-/work_items/3324) > > I'm picking this small change to current qemu-stable series. > The issue seem to be unimportant, but the fix is simple too. > Please let me know if I shouldn't. > > Thanks, > > /mjt > >
On 28/4/26 12:36, Gautam Menghani wrote: > From: kiki <Chan9Yan9@gmail.com> > > A malformed IVE value can result in an invalid server field being > passed to icp_irq(). The function assumes the server id is valid and > may access invalid state otherwise, potentially leading to a crash. > > Fix this by validating the server id before using it and ignoring > invalid values. > > Reported-by: Zexiang Zhang <chan9yan9@gmail.com> > Signed-off-by: Zexiang Zhang <chan9yan9@gmail.com> > Signed-off-by: Gautam Menghani <gautam@linux.ibm.com> > --- > v2: > 1. Fix build error and subject line > > hw/intc/xics.c | 8 ++++++++ > 1 file changed, 8 insertions(+) Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
© 2016 - 2026 Red Hat, Inc.