qemu/include/hw
Peter Maydell 8b8bb0146b hw/intc/arm_gicv3_its: Check table bounds against correct limit
Currently when we fill in a TableDesc based on the value the guest
has written to the GITS_BASER<n> register, we calculate both:
 * num_entries : the number of entries in the table, constrained
   by the amount of memory the guest has given it
 * num_ids : the number of IDs we support for this table,
   constrained by the implementation choices and the architecture
   (eg DeviceIDs are 16 bits, so num_ids is 1 << 16)

When validating ITS commands, however, we check only num_ids,
thus allowing a broken guest to specify table entries that
index off the end of it. This will only corrupt guest memory,
but the ITS is supposed to reject such commands as invalid.

Instead of calculating both num_entries and num_ids, set
num_entries to the minimum of the two limits, and check that.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220122182444.724087-13-peter.maydell@linaro.org
2022-01-28 14:29:47 +00:00
..
acpi hw/acpi/ich9: Add compat prop to keep HPC bit set for 6.1 machine type 2021-11-15 09:44:46 -05:00
adc hw/adc: Add basic Aspeed ADC model 2021-10-12 08:20:08 +02:00
arm hw/arm/xlnx-versal: Connect the OSPI flash memory controller model 2022-01-28 14:29:46 +00:00
audio qom: Put name parameter before value / visitor parameter 2020-07-10 15:18:08 +02:00
block block: Add backend_defaults property 2021-07-06 14:28:55 +01:00
char hw/riscv: spike: Allow using binary firmware as bios 2022-01-21 15:52:56 +10:00
core linux-user: Add code for PR_GET/SET_UNALIGN 2022-01-06 11:40:52 +01:00
cpu Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
cris hw: Replace anti-social QOM type names 2021-03-19 15:18:43 +01:00
display hw/mips/jazz: Inline vga_mmio_init() and remove it 2022-01-13 10:58:54 +01:00
dma hw/dma/xlnx_csu_dma: Support starting a read transfer through a class method 2022-01-28 14:29:46 +00:00
firmware hw/smbios: Use qapi for SmbiosEntryPointType 2022-01-07 05:19:55 -05:00
gpio hw: aspeed_gpio: Fix GPIO array indexing 2021-10-12 08:20:08 +02:00
hyperv Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
i2c aspeed/i2c: QOMify AspeedI2CBus 2021-10-12 08:20:08 +02:00
i386 hw/i386: expose a "smbios-entry-point-type" PC machine property 2022-01-07 05:19:55 -05:00
ide ide: Rename ide_bus_new() to ide_bus_init() 2021-09-30 13:44:13 +01:00
input hw/input/lm832x: Define TYPE_LM8323 in public header 2021-07-08 14:15:01 -05:00
intc hw/intc/arm_gicv3_its: Check table bounds against correct limit 2022-01-28 14:29:47 +00:00
ipack ipack: Rename ipack_bus_new_inplace() to ipack_bus_init() 2021-09-30 13:42:10 +01:00
ipmi Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
isa vt82c686: Add a method to VIA_ISA to raise ISA interrupts 2021-10-18 00:41:36 +02:00
kvm target/i386: always create kvmclock device 2020-09-30 19:11:36 +02:00
m68k hw/m68k/next-cube: Add missing header comment to next-cube.h 2021-01-19 09:11:52 +01:00
mem pc-dimm: remove unnecessary get_vmstate_memory_region() method 2021-05-14 10:26:18 -04:00
mips hw/mips: Add a bootloader helper 2021-02-21 18:41:04 +01:00
misc hw/misc: Add a model of Versal's PMC SLCR 2022-01-28 14:29:46 +00:00
net hw/net: Move MV88W8618 network device out of hw/arm/ directory 2022-01-20 11:47:52 +00:00
nubus nubus: add support for slot IRQs 2021-09-29 10:45:19 +02:00
nvram hw/nvram: Introduce Xilinx battery-backed ram 2021-09-30 13:42:10 +01:00
pci hw/pci: Document pci_dma_map() 2022-01-18 10:45:35 +01:00
pci-bridge Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
pci-host ppc/pnv: Add a 'rp_model' class attribute for the PHB4 PEC 2022-01-18 12:56:31 +01:00
ppc ppc/pnv: Move num_phbs under Pnv8Chip 2022-01-12 11:28:27 +01:00
rdma qapi: introduce x-query-rdma QMP command 2021-11-02 15:55:14 +00:00
remote multi-process: perform device reset in the remote process 2021-02-10 09:23:28 +00:00
riscv hw/riscv: Remove macros for ELF BIOS image names 2022-01-21 15:52:57 +10:00
rtc m48t59: remove legacy m48t59_init() function 2020-10-18 16:21:42 +01:00
rx Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
s390x s390x/css: fix PMCW invalid mask 2022-01-17 08:34:19 +01:00
scsi hw/dma: Let dma_buf_read() / dma_buf_write() propagate MemTxResult 2022-01-18 12:56:29 +01:00
sd hw/sd: add nuvoton MMC 2021-11-02 14:14:55 -04:00
sensor sensor: Move hardware sensors from misc to a sensor directory 2021-06-17 07:10:32 -05:00
sh4 hw/intc/sh_intc: Inline and drop sh_intc_source() function 2021-10-30 18:39:37 +02:00
southbridge Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
sparc hw: Replace anti-social QOM type names 2021-03-19 15:18:43 +01:00
ssi hw/ssi: Add a model of Xilinx Versal's OSPI flash memory controller 2022-01-28 14:29:46 +00:00
timer hw: timer: ibex_timer: Fixup reading w/o register 2022-01-21 15:52:56 +10:00
tricore hw/tricore: Add testdevice for tests in tests/tcg/ 2021-05-18 09:36:21 +01:00
usb usb-storage: tag usb_msd_csw as packed struct 2021-11-02 17:24:18 +01:00
vfio vfio: Query and store the maximum number of possible DMA mappings 2021-07-08 15:54:45 -04:00
virtio - bugfixes for ui, usb, audio, display 2022-01-14 13:21:41 +00:00
watchdog watchdog: aspeed: Sanitize control register values 2021-09-20 08:50:59 +02:00
xen xen: Free xenforeignmemory_resource at exit 2021-05-10 13:43:58 +01:00
xtensa Include hw/irq.h a lot less 2019-08-16 13:31:52 +02:00
boards.h hw: Add compat machines for 7.0 2022-01-05 09:06:36 +01:00
clock.h host-utils: add 128-bit quotient support to divu128/divs128 2021-10-27 17:10:00 -07:00
elf_ops.h hw/elf_ops: clear uninitialized segment space 2022-01-20 09:09:37 +01:00
fw-path-provider.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
hotplug.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
hw.h Include hw/hw.h exactly where needed 2019-08-16 13:31:52 +02:00
ide.h hw/ide: Move MAX_IDE_DEVS define to hw/ide/internal.h 2020-03-17 12:22:36 -04:00
irq.h include/hw/irq.h: New function qemu_irq_is_connected() 2020-08-03 17:55:03 +01:00
loader-fit.h nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
loader.h hw/elf_ops.h: switch to ssize_t for elf loader return type 2021-10-20 16:26:19 -07:00
nmi.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
or-irq.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
pcmcia.h Use OBJECT_DECLARE_TYPE when possible 2020-09-18 14:12:32 -04:00
platform-bus.h nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
ptimer.h ptimer: Add new ptimer_set_period_from_clock() function 2021-01-29 15:54:42 +00:00
qdev-clock.h clock: Add ClockEvent parameter to callbacks 2021-03-08 17:20:01 +00:00
qdev-core.h qdev-core.h: Fix wrongly named reference to TYPE_SPLIT_IRQ 2022-01-18 12:32:16 +01:00
qdev-dma.h Supply missing header guards 2019-06-12 13:20:21 +02:00
qdev-properties-system.h qdev: Reuse DEFINE_PROP in all DEFINE_PROP_* macros 2020-12-18 15:20:17 -05:00
qdev-properties.h qdev-properties: PropertyInfo: add realized_set_allowed field 2021-09-01 12:57:31 +02:00
register.h hw/core/register: Add more 64-bit utilities 2021-09-01 11:59:12 +10:00
registerfields.h hw/registerfields: Use 64-bit bitfield for FIELD_DP64 2021-09-01 11:59:12 +10:00
resettable.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
stream.h hw/core/stream: Rename StreamSlave as StreamSink 2020-12-10 12:15:04 -05:00
sysbus.h qom: Remove module_obj_name parameter from OBJECT_DECLARE* macros 2020-09-18 14:12:32 -04:00
usb.h usb: drop usb_host_dev_is_scsi_storage hook 2021-07-09 18:21:33 +02:00
vmstate-if.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00