From nobody Sat May 30 18:36:26 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass(p=quarantine dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1778841591; cv=none;
	d=zohomail.com; s=zohoarc;
	b=RJwxoesZdnhFxdnraqm/0gniexOhdszD6jNVftWa/HyZCIuw1hvfS2qyA3gnpH9vbxwuldyM42Q7esOVxD1eLSH31R2VT5xCDsEG2nX61Byl+tnCGsEgOunnbs1ByLOQe9sfByHh0KHsvLWNFlKjS4Fg0694/NyIM5RzK8aVP34=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778841591;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=f8IbwfAXFBp2iEY9hDuNfWW//pX7bZYeZL494F0BYDI=;
	b=bxQ5wygAVa6Q38zdHwQ1W74LQ/a7arGXnorXTYjlG7AW69cihjyaJkvmohbykUofDXF7rn1yWhMwwjc2MXS3XI1sv8WS3/eQ5cXXS4w28SuE2zUCLebJJPY5uv1S5QRBWqyKKZ3lG2Z4f/WRilqzSNDMWzT7HUTN+pOucLcLr6U=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass header.from=<pbonzini@redhat.com> (p=quarantine dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778841591604725.8936091462572;
 Fri, 15 May 2026 03:39:51 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wNpwZ-0007Ik-8k; Fri, 15 May 2026 06:38:59 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <pbonzini@redhat.com>)
 id 1wNpwX-0007IN-SX
 for qemu-devel@nongnu.org; Fri, 15 May 2026 06:38:57 -0400
Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <pbonzini@redhat.com>)
 id 1wNpwV-000534-LG
 for qemu-devel@nongnu.org; Fri, 15 May 2026 06:38:57 -0400
Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com
 [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-672-cywa73z4Pw2kRKI-cBV5ig-1; Fri, 15 May 2026 06:38:52 -0400
Received: by mail-wr1-f72.google.com with SMTP id
 ffacd0b85a97d-44a71109b94so7127810f8f.3
 for <qemu-devel@nongnu.org>; Fri, 15 May 2026 03:38:51 -0700 (PDT)
Received: from [192.168.10.48] ([176.206.106.181])
 by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-45da0a19c2dsm13547800f8f.21.2026.05.15.03.38.49
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 15 May 2026 03:38:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1778841533;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=f8IbwfAXFBp2iEY9hDuNfWW//pX7bZYeZL494F0BYDI=;
 b=OUYE/6NrH7oiV6EEv3Wr75KRLN1QwKYkFMSpk9kqHmgHzb7Nb0UrY9i56mvq/2VOpPOi89
 sue/hgG5/tQhqoE68Kp87NCE8HwYys6hlmO6YFKzJYiTJ/cgTdVwGPIJISH4GxzU9t1kvs
 /EHQsQmHCFNlNGMLN3xbJzI3IvDZN4A=
X-MC-Unique: cywa73z4Pw2kRKI-cBV5ig-1
X-Mimecast-MFC-AGG-ID: cywa73z4Pw2kRKI-cBV5ig_1778841531
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=redhat.com; s=google; t=1778841531; x=1779446331; darn=nongnu.org;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=f8IbwfAXFBp2iEY9hDuNfWW//pX7bZYeZL494F0BYDI=;
 b=Y1vkGu9urcJMfnI/NxaGxiC4eJ+VYNaaS6vaY3EttBNjls5DEJw77VCx/HtkUtpXCh
 CIXGfDmzde3ZOiVnTouKI//dswQG0iOrJOD4ibqaS6gWI/WIm187NRuPAEJI6ASrswMB
 VU7KgXfBF62LBBjONK+bMRrkZg22oY0TB4NemCychVV5RF6Y6233qMosinxsDWJvZu5P
 TH67KC/efXYE4Qwq0Jh+jGaw50vkMEgH/NiY9Bo3HpfxiWvUPRu1ATqBwV1ABYMPSzAp
 agOER0AJ/u/MP9V6BLuWxRsohiPuqkv6TydlEE+t4UWPN1NqAynkktsWqkG6kIz9dCgx
 E9/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20251104; t=1778841531; x=1779446331;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
 :message-id:reply-to;
 bh=f8IbwfAXFBp2iEY9hDuNfWW//pX7bZYeZL494F0BYDI=;
 b=JcvKic0jYsvJe0JvzGkD45EJ831oC/qe7D+0BVFtm7bxRyvmcRqytArtsW25KtDFZD
 CSyYVZHBQ10bdXy1zFAGZyKkviAWg7BnYQstp5nv4iRUVACReJrk+1iFziZp+AbFaUtW
 TvEYu+XwMac9S/NngFJWW8MJYo8hQA/nvRQmuuw8sOSE0PFDmgk+Qqek5KdSdL+T5hkQ
 vEK8AGFHB3e/y+jG6ryKav8IFvfPHOJOJ+rpQKeFBNt7Fvhdw6m3l6DDoClPXvfN0Fna
 qhTo1rAZsK9GQu/2T2rhbZPOg7GTZVaikwfO2dDCqMX/7Z4b7lSUUW1PSoZ0hDGrz5SO
 E21g==
X-Gm-Message-State: AOJu0Yzo4cfs5PG1aA0mXhaJ8OpuH7AekJnLJBarRELoPdU1lvfcYStw
 YJXBii8oBM4VoSBHlPlxcXwjpbpDVxcZE3sTWb5iW4AwyhlyyW4vrpE8l2ll9mTxYD4o/vaff3u
 T7AR7KG/9dCSfhB6bgxYllY63OV/e5CRZjxLtdpruJOdVAcAaabIlD0xnELzQvxTq5VU1XInwV0
 s6PWZ+zMMnv3Do7oS9FlL3XHhQxNeoGehsIxW3Ncvk
X-Gm-Gg: Acq92OE9+gwkVHJzGbo6kUd6M8fVCW4pH+NP4fJLAbhxOJ4XoAoHb9XlzlOHu2m70yg
 cp2I3LS80pS0Nk5rkGOpc/ovK+QUvjwIOcc6HJcOuJTc09owtTlYmogkWhj5nOj+6JCD/uGQQJA
 dqn5wyGc46cyZhlG4NP+s4rRoYTzkcwo48OZBT3nufVOYfOnDjpzNENmIVjDQmjZU6SrvEb2zPz
 AxQB9LXyYj/AGWW58bNlzzTEzNxIrhJtRlfwfMwhbL9X+EfUIF75mD5lxz6VYQoBK75fNWej4h5
 RGqYw99bQM5XFzCo7y9og465mCt7xsEc6OC2b4u1Mpky5WCGzArrWeWjiaGDsWaANHK5lMellIj
 dfdEVuECrfkN7X0RA1mA/ZqW2iyvRdk5MEqdNfTrTaBD04cTO+pk5yC34s7STL5h/RfuvZ32SbC
 vooLa/qBCj7s8AeFEsRClD89PxF0gB
X-Received: by 2002:a05:6000:ccf:b0:44f:da54:da6c with SMTP id
 ffacd0b85a97d-45e5c5bed3amr3619395f8f.26.1778841530731;
 Fri, 15 May 2026 03:38:50 -0700 (PDT)
X-Received: by 2002:a05:6000:ccf:b0:44f:da54:da6c with SMTP id
 ffacd0b85a97d-45e5c5bed3amr3619357f8f.26.1778841530261;
 Fri, 15 May 2026 03:38:50 -0700 (PDT)
From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Cc: Wei Che Kao <skps96g313.cs10@gmail.com>
Subject: [PATCH] apic: fix delivery bitmask with modified xAPIC ids
Date: Fri, 15 May 2026 12:38:48 +0200
Message-ID: <20260515103848.3883904-1-pbonzini@redhat.com>
X-Mailer: git-send-email 2.54.0
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=170.10.133.124;
 envelope-from=pbonzini@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -24
X-Spam_score: -2.5
X-Spam_bar: --
X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.445,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1778841593311158501
Content-Type: text/plain; charset="utf-8"

Self-IPIs (or all-but-self IPIs) in QEMU can cause a out-of-bounds access
to deliver_bitmask, because the access uses the APIC ID register which
is writable by the guest.  However, foreach_apic uses the delivery
bitmask indexes to look up the local_apics[] array, which is indexed
by *initial* APIC id.  Using the right id fixes both a possible heap
write overflow if the modified APIC id is too large for max_apic_words,
and a mis-delivery of both self and all-but-self IPIs.

Reported-by: Wei Che Kao <skps96g313.cs10@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
---
 hw/intc/apic.c | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/hw/intc/apic.c b/hw/intc/apic.c
index e5ea8312617..0e8932005fa 100644
--- a/hw/intc/apic.c
+++ b/hw/intc/apic.c
@@ -648,13 +648,6 @@ static void apic_deliver(APICCommonState *s, uint32_t =
dest, uint8_t dest_mode,
     APICCommonState *apic_iter;
     uint32_t deliver_bitmask_size =3D max_apic_words * sizeof(uint32_t);
     g_autofree uint32_t *deliver_bitmask =3D g_new(uint32_t, max_apic_word=
s);
-    uint32_t current_apic_id;
-
-    if (is_x2apic_mode(s)) {
-        current_apic_id =3D s->initial_apic_id;
-    } else {
-        current_apic_id =3D s->id;
-    }
=20
     switch (dest_shorthand) {
     case 0:
@@ -662,14 +655,20 @@ static void apic_deliver(APICCommonState *s, uint32_t=
 dest, uint8_t dest_mode,
         break;
     case 1:
         memset(deliver_bitmask, 0x00, deliver_bitmask_size);
-        apic_set_bit(deliver_bitmask, current_apic_id);
+        /*
+         * The self and all-but-self cases do not use apic_match_dest() and
+         * directly fill in deliver_bitmask; the bitmask's indexes in turn
+         * map to local_apics[] slots which are never changed even if the
+         * xAPIC id is modified.  So use s->initial_apic_id instead of s->=
id.
+         */
+        apic_set_bit(deliver_bitmask, s->initial_apic_id);
         break;
     case 2:
         memset(deliver_bitmask, 0xff, deliver_bitmask_size);
         break;
     case 3:
         memset(deliver_bitmask, 0xff, deliver_bitmask_size);
-        apic_reset_bit(deliver_bitmask, current_apic_id);
+        apic_reset_bit(deliver_bitmask, s->initial_apic_id);
         break;
     }
=20
--=20
2.54.0