qemu/include
Peter Maydell 8b8bb0146b hw/intc/arm_gicv3_its: Check table bounds against correct limit
Currently when we fill in a TableDesc based on the value the guest
has written to the GITS_BASER<n> register, we calculate both:
 * num_entries : the number of entries in the table, constrained
   by the amount of memory the guest has given it
 * num_ids : the number of IDs we support for this table,
   constrained by the implementation choices and the architecture
   (eg DeviceIDs are 16 bits, so num_ids is 1 << 16)

When validating ITS commands, however, we check only num_ids,
thus allowing a broken guest to specify table entries that
index off the end of it. This will only corrupt guest memory,
but the ITS is supposed to reject such commands as invalid.

Instead of calculating both num_entries and num_ids, set
num_entries to the minimum of the two limits, and check that.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220122182444.724087-13-peter.maydell@linaro.org
2022-01-28 14:29:47 +00:00
..
authz
block Block layer patches 2022-01-14 15:56:30 +00:00
chardev ui/dbus: add chardev backend & interface 2021-12-21 10:50:22 +04:00
crypto crypto: Make QCryptoTLSCreds* structures private 2021-06-29 18:30:24 +01:00
disas target/riscv: setup everything for rv64 to support rv128 execution 2022-01-08 15:46:10 +10:00
exec exec/memory: Extract address_space_set() from dma_memory_set() 2022-01-20 09:09:37 +01:00
fpu softfloat: Add float64r32 arithmetic routines 2021-12-17 17:57:15 +01:00
hw hw/intc/arm_gicv3_its: Check table bounds against correct limit 2022-01-28 14:29:47 +00:00
io
libdecnumber libdecnumber: Introduce decNumberIntegralToInt128 2021-11-09 10:32:52 +11:00
migration Fixed a QEMU hang when guest poweroff in COLO mode 2021-12-15 10:31:42 +01:00
monitor monitor: introduce HumanReadableText and HMP support 2021-11-02 15:55:13 +00:00
net Revert "virtio-net: add support for configure interrupt" 2022-01-10 16:00:54 -05:00
qapi monitor: introduce HumanReadableText and HMP support 2021-11-02 15:55:13 +00:00
qemu qemu/int128: addition of div/rem 128-bit operations 2022-01-08 15:46:10 +10:00
qom monitor: Fix find_device_state() for IDs containing slashes 2021-11-10 06:14:51 +01:00
scsi
semihosting
standard-headers linux-headers: sync VIRTIO_MEM_F_UNPLUGGED_INACCESSIBLE 2022-01-07 19:30:13 -05:00
sysemu rtc: Move RTC function prototypes to their own header 2022-01-28 14:29:46 +00:00
tcg exec/memop: Adding signedness to quad definitions 2022-01-08 15:46:10 +10:00
ui ui: avoid warnings about directdb on Alpine / musl libc 2022-01-18 16:42:41 +00:00
user common-user: Move safe-syscall.* from linux-user 2021-12-20 10:12:24 -08:00
elf.h elf: Add machine type value for LoongArch 2021-12-21 13:17:06 -08:00
glib-compat.h docs/devel: more documentation on the use of suffixes 2022-01-18 16:42:42 +00:00
qemu-common.h rtc: Move RTC function prototypes to their own header 2022-01-28 14:29:46 +00:00
qemu-io.h
trace-tcg.h