qemu-e2k/hw/intc
Philippe Mathieu-Daudé edfe2eb436 hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
Per the ARM Generic Interrupt Controller Architecture specification
(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
not 10:

  - 4.3 Distributor register descriptions
  - 4.3.15 Software Generated Interrupt Register, GICD_SG

    - Table 4-21 GICD_SGIR bit assignments

    The Interrupt ID of the SGI to forward to the specified CPU
    interfaces. The value of this field is the Interrupt ID, in
    the range 0-15, for example a value of 0b0011 specifies
    Interrupt ID 3.

Correct the irq mask to fix an undefined behavior (which eventually
lead to a heap-buffer-overflow, see [Buglink]):

   $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
   [I 1612088147.116987] OPENED
  [R +0.278293] writel 0x8000f00 0xff4affb0
  ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13

This fixes a security issue when running with KVM on Arm with
kernel-irqchip=off. (The default is kernel-irqchip=on, which is
unaffected, and which is also the correct choice for performance.)

Cc: qemu-stable@nongnu.org
Fixes: CVE-2021-20221
Fixes: 9ee6e8bb85 ("ARMv7 support.")
Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20210131103401.217160-1-f4bug@amsat.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-02-02 17:00:55 +00:00
..
allwinner-a10-pic.c
apic_common.c i386: do not use ram_size global 2020-12-10 12:15:08 -05:00
apic.c Remove superfluous timer_del() calls 2021-01-08 15:13:38 +00:00
arm_gic_common.c
arm_gic_kvm.c
arm_gic.c hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register 2021-02-02 17:00:55 +00:00
arm_gicv2m.c arm tcg cpus: Fix Lesser GPL version number 2020-11-15 16:42:14 +01:00
arm_gicv3_common.c
arm_gicv3_cpuif.c hw/intc/arm_gicv3_cpuif: Make GIC maintenance interrupts work 2020-11-02 16:52:17 +00:00
arm_gicv3_dist.c
arm_gicv3_its_common.c
arm_gicv3_its_kvm.c arm tcg cpus: Fix Lesser GPL version number 2020-11-15 16:42:14 +01:00
arm_gicv3_kvm.c hw/intc/arm_gicv3_kvm: silence the compiler warnings 2020-12-18 09:14:23 +01:00
arm_gicv3_redist.c
arm_gicv3.c
armv7m_nvic.c hw/intc/armv7m_nvic: Correct handling of CCR.BFHFNMIGN 2021-01-08 15:13:38 +00:00
aspeed_vic.c
bcm2835_ic.c hw/intc/bcm2835_ic: Trace GPU/CPU IRQ handlers 2020-10-20 16:12:00 +01:00
bcm2836_control.c hw/intc/bcm2836_control: Use IRQ definitions instead of magic numbers 2020-10-20 16:12:00 +01:00
etraxfs_pic.c
exynos4210_combiner.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
exynos4210_gic.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
gic_internal.h
gicv3_internal.h
grlib_irqmp.c hw/sparc: Make grlib-irqmp device handle its own inbound IRQ lines 2021-01-06 11:41:37 +00:00
heathrow_pic.c
i8259_common.c
i8259.c
ibex_plic.c intc/ibex_plic: Clear interrupts that occur during claim process 2020-12-17 21:56:43 -08:00
imx_avic.c
imx_gpcv2.c
intc.c
ioapic_common.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
ioapic.c Remove superfluous timer_del() calls 2021-01-08 15:13:38 +00:00
Kconfig ppc: Simplify reverse dependencies of POWERNV and PSERIES on XICS and XIVE 2021-01-06 11:09:59 +11:00
lm32_pic.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
loongson_liointc.c hw/intc: Rework Loongson LIOINTC 2021-01-04 23:24:44 +01:00
meson.build ppc: Simplify reverse dependencies of POWERNV and PSERIES on XICS and XIVE 2021-01-06 11:09:59 +11:00
mips_gic.c
omap_intc.c
ompic.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
openpic_kvm.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
openpic.c
pl190.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
pnv_xive_regs.h
pnv_xive.c
ppc-uic.c hw/intc/ppc-uic: Make default dcr-base 0xc0, not 0x30 2021-01-19 10:20:29 +11:00
puv3_intc.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
realview_gic.c
rx_icu.c hw/intc: fix heap-buffer-overflow in rxicu_realize() 2020-11-23 10:41:58 +00:00
s390_flic_kvm.c migration: Replace migration's JSON writer by the general one 2020-12-19 10:39:16 +01:00
s390_flic.c
sh_intc.c
sifive_clint.c
sifive_plic.c target/riscv: Add sifive_plic vmstate 2020-11-03 07:17:23 -08:00
slavio_intctl.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
spapr_xive_kvm.c xive: Add trace events 2020-12-14 15:54:12 +11:00
spapr_xive.c spapr/xive: Make spapr_xive_pic_print_info() static 2021-01-06 11:09:59 +11:00
trace-events xive: Add trace events 2020-12-14 15:54:12 +11:00
trace.h
vgic_common.h
xics_kvm.c spapr/xics: Drop unused argument to xics_kvm_has_broken_disconnect() 2020-12-14 15:50:55 +11:00
xics_pnv.c non-virt: Fix Lesser GPL version number 2020-11-15 16:38:24 +01:00
xics_spapr.c
xics.c
xilinx_intc.c
xive.c xive: Add trace events 2020-12-14 15:54:12 +11:00
xlnx-pmu-iomod-intc.c
xlnx-zynqmp-ipi.c