qemu/include
Peter Maydell 80dcd37feb hw/intc/arm_gicv3_its: Fix various off-by-one errors
The ITS code has to check whether various parameters passed in
commands are in-bounds, where the limit is defined in terms of the
number of bits that are available for the parameter.  (For example,
the GITS_TYPER.Devbits ID register field specifies the number of
DeviceID bits minus 1, and device IDs passed in the MAPTI and MAPD
command packets must fit in that many bits.)

Currently we have off-by-one bugs in many of these bounds checks.
The typical problem is that we define a max_foo as 1 << n. In
the Devbits example, we set
  s->dt.max_ids = 1UL << (GITS_TYPER.Devbits + 1).
However later when we do the bounds check we write
  if (devid > s->dt.max_ids) { /* command error */ }
which incorrectly permits a devid of 1 << n.

These bugs will not cause QEMU crashes because the ID values being
checked are only used for accesses into tables held in guest memory
which we access with address_space_*() functions, but they are
incorrect behaviour of our emulation.

Fix them by standardizing on this pattern:
 * bounds limits are named num_foos and are the 2^n value
   (equal to the number of valid foo values)
 * bounds checks are either
   if (fooid < num_foos) { good }
   or
   if (fooid >= num_foos) { bad }

In this commit we fix the handling of the number of IDs
in the device table and the collection table, and the number
of commands that will fit in the command queue.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
2022-01-07 17:08:00 +00:00
..
authz
block blockjob: drop BlockJob.blk field 2021-12-28 15:18:59 +01:00
chardev ui/dbus: add chardev backend & interface 2021-12-21 10:50:22 +04:00
crypto crypto: Make QCryptoTLSCreds* structures private 2021-06-29 18:30:24 +01:00
disas disas/nios2: Simplify endianess conversion 2021-10-22 18:07:30 +02:00
exec cpu: remove unnecessary #ifdef CONFIG_TCG 2021-12-18 10:57:36 +01:00
fpu softfloat: Add float64r32 arithmetic routines 2021-12-17 17:57:15 +01:00
hw hw/intc/arm_gicv3_its: Fix various off-by-one errors 2022-01-07 17:08:00 +00:00
io
libdecnumber libdecnumber: Introduce decNumberIntegralToInt128 2021-11-09 10:32:52 +11:00
migration Fixed a QEMU hang when guest poweroff in COLO mode 2021-12-15 10:31:42 +01:00
monitor monitor: introduce HumanReadableText and HMP support 2021-11-02 15:55:13 +00:00
net vhost-net: control virtqueue support 2021-10-20 04:44:05 -04:00
qapi monitor: introduce HumanReadableText and HMP support 2021-11-02 15:55:13 +00:00
qemu ui/dbus: add chardev backend & interface 2021-12-21 10:50:22 +04:00
qom monitor: Fix find_device_state() for IDs containing slashes 2021-11-10 06:14:51 +01:00
scsi
semihosting
standard-headers linux-headers: update to 5.16-rc1 2021-12-10 09:47:18 +01:00
sysemu sysemu: Cleanup qemu_run_machine_init_done_notifiers() 2022-01-04 15:31:33 -08:00
tcg Initial conversion of HMP debugging commands to QMP 2021-11-03 08:04:32 -04:00
ui ui/dbus: add p2p=on/off option 2021-12-21 10:50:22 +04:00
user common-user: Move safe-syscall.* from linux-user 2021-12-20 10:12:24 -08:00
elf.h elf: Add machine type value for LoongArch 2021-12-21 13:17:06 -08:00
glib-compat.h glib-compat: Introduce g_memdup2() wrapper 2021-12-17 11:54:07 +01:00
qemu-common.h
qemu-io.h
trace-tcg.h