qemu/hw/intc
Philippe Mathieu-Daudé edfe2eb436 hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
Per the ARM Generic Interrupt Controller Architecture specification
(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
not 10:

  - 4.3 Distributor register descriptions
  - 4.3.15 Software Generated Interrupt Register, GICD_SG

    - Table 4-21 GICD_SGIR bit assignments

    The Interrupt ID of the SGI to forward to the specified CPU
    interfaces. The value of this field is the Interrupt ID, in
    the range 0-15, for example a value of 0b0011 specifies
    Interrupt ID 3.

Correct the irq mask to fix an undefined behavior (which eventually
lead to a heap-buffer-overflow, see [Buglink]):

   $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
   [I 1612088147.116987] OPENED
  [R +0.278293] writel 0x8000f00 0xff4affb0
  ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13

This fixes a security issue when running with KVM on Arm with
kernel-irqchip=off. (The default is kernel-irqchip=on, which is
unaffected, and which is also the correct choice for performance.)

Cc: qemu-stable@nongnu.org
Fixes: CVE-2021-20221
Fixes: 9ee6e8bb85 ("ARMv7 support.")
Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20210131103401.217160-1-f4bug@amsat.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-02-02 17:00:55 +00:00
..
allwinner-a10-pic.c Clean up inclusion of sysemu/sysemu.h 2019-08-16 13:31:53 +02:00
apic_common.c i386: do not use ram_size global 2020-12-10 12:15:08 -05:00
apic.c Remove superfluous timer_del() calls 2021-01-08 15:13:38 +00:00
arm_gic_common.c arm_gic: Mask the un-supported priority bits 2020-02-28 16:14:57 +00:00
arm_gic_kvm.c Use DECLARE_*CHECKER* when possible (--force mode) 2020-09-09 09:27:11 -04:00
arm_gic.c hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register 2021-02-02 17:00:55 +00:00
arm_gicv2m.c arm tcg cpus: Fix Lesser GPL version number 2020-11-15 16:42:14 +01:00
arm_gicv3_common.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
arm_gicv3_cpuif.c hw/intc/arm_gicv3_cpuif: Make GIC maintenance interrupts work 2020-11-02 16:52:17 +00:00
arm_gicv3_dist.c hw/intc/arm_gicv3: GICD_TYPER.SecurityExtn is RAZ if GICD_CTLR.DS == 1 2019-06-17 15:13:19 +01:00
arm_gicv3_its_common.c Include migration/vmstate.h less 2019-08-16 13:31:52 +02:00
arm_gicv3_its_kvm.c arm tcg cpus: Fix Lesser GPL version number 2020-11-15 16:42:14 +01:00
arm_gicv3_kvm.c hw/intc/arm_gicv3_kvm: silence the compiler warnings 2020-12-18 09:14:23 +01:00
arm_gicv3_redist.c hw/intc/arm_gicv3: Fix decoding of ID register range 2019-06-17 15:13:19 +01:00
arm_gicv3.c Include qemu/module.h where needed, drop it from qemu-common.h 2019-06-12 13:18:33 +02:00
armv7m_nvic.c hw/intc/armv7m_nvic: Correct handling of CCR.BFHFNMIGN 2021-01-08 15:13:38 +00:00
aspeed_vic.c Include migration/vmstate.h less 2019-08-16 13:31:52 +02:00
bcm2835_ic.c hw/intc/bcm2835_ic: Trace GPU/CPU IRQ handlers 2020-10-20 16:12:00 +01:00
bcm2836_control.c hw/intc/bcm2836_control: Use IRQ definitions instead of magic numbers 2020-10-20 16:12:00 +01:00
etraxfs_pic.c Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
exynos4210_combiner.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
exynos4210_gic.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
gic_internal.h hw/intc/arm_gic: Drop GIC_BASE_IRQ macro 2018-09-25 15:13:24 +01:00
gicv3_internal.h
grlib_irqmp.c hw/sparc: Make grlib-irqmp device handle its own inbound IRQ lines 2021-01-06 11:41:37 +00:00
heathrow_pic.c Include hw/hw.h exactly where needed 2019-08-16 13:31:52 +02:00
i8259_common.c isa: Convert uses of isa_create() with Coccinelle 2020-06-15 22:05:28 +02:00
i8259.c Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
ibex_plic.c intc/ibex_plic: Clear interrupts that occur during claim process 2020-12-17 21:56:43 -08:00
imx_avic.c Include migration/vmstate.h less 2019-08-16 13:31:52 +02:00
imx_gpcv2.c Include migration/vmstate.h less 2019-08-16 13:31:52 +02:00
intc.c
ioapic_common.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
ioapic.c Remove superfluous timer_del() calls 2021-01-08 15:13:38 +00:00
Kconfig ppc: Simplify reverse dependencies of POWERNV and PSERIES on XICS and XIVE 2021-01-06 11:09:59 +11:00
lm32_pic.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
loongson_liointc.c hw/intc: Rework Loongson LIOINTC 2021-01-04 23:24:44 +01:00
meson.build ppc: Simplify reverse dependencies of POWERNV and PSERIES on XICS and XIVE 2021-01-06 11:09:59 +11:00
mips_gic.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
omap_intc.c omap_intc: Use typedef name for instance_size 2020-09-09 13:20:22 -04:00
ompic.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
openpic_kvm.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
openpic.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
pl190.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
pnv_xive_regs.h ppc/pnv: add a XIVE interrupt controller model for POWER9 2019-03-12 14:33:04 +11:00
pnv_xive.c error: Eliminate error_propagate() with Coccinelle, part 1 2020-07-10 15:18:08 +02:00
ppc-uic.c hw/intc/ppc-uic: Make default dcr-base 0xc0, not 0x30 2021-01-19 10:20:29 +11:00
puv3_intc.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
realview_gic.c error: Eliminate error_propagate() with Coccinelle, part 1 2020-07-10 15:18:08 +02:00
rx_icu.c hw/intc: fix heap-buffer-overflow in rxicu_realize() 2020-11-23 10:41:58 +00:00
s390_flic_kvm.c migration: Replace migration's JSON writer by the general one 2020-12-19 10:39:16 +01:00
s390_flic.c sysbus: Convert to sysbus_realize() etc. with Coccinelle 2020-06-15 22:05:28 +02:00
sh_intc.c Include hw/hw.h exactly where needed 2019-08-16 13:31:52 +02:00
sifive_clint.c hw/riscv: Move sifive_clint model to hw/intc 2020-09-09 15:54:19 -07:00
sifive_plic.c target/riscv: Add sifive_plic vmstate 2020-11-03 07:17:23 -08:00
slavio_intctl.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
spapr_xive_kvm.c xive: Add trace events 2020-12-14 15:54:12 +11:00
spapr_xive.c spapr/xive: Make spapr_xive_pic_print_info() static 2021-01-06 11:09:59 +11:00
trace-events xive: Add trace events 2020-12-14 15:54:12 +11:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
vgic_common.h
xics_kvm.c spapr/xics: Drop unused argument to xics_kvm_has_broken_disconnect() 2020-12-14 15:50:55 +11:00
xics_pnv.c non-virt: Fix Lesser GPL version number 2020-11-15 16:38:24 +01:00
xics_spapr.c spapr: Pass the maximum number of vCPUs to the KVM interrupt controller 2019-12-17 10:39:48 +11:00
xics.c error: Eliminate error_propagate() with Coccinelle, part 2 2020-07-10 15:18:08 +02:00
xilinx_intc.c Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
xive.c xive: Add trace events 2020-12-14 15:54:12 +11:00
xlnx-pmu-iomod-intc.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
xlnx-zynqmp-ipi.c Include migration/vmstate.h less 2019-08-16 13:31:52 +02:00