| Andrew Geissler | c926e17 | 2021-05-07 16:11:35 -0500 | [diff] [blame^] | 1 | From e428bcfb86fb46d9773ae11e69712052dcff3d45 Mon Sep 17 00:00:00 2001 |
| 2 | From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org> |
| 3 | Date: Sun, 31 Jan 2021 11:34:01 +0100 |
| 4 | Subject: [PATCH] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register |
| 5 | MIME-Version: 1.0 |
| 6 | Content-Type: text/plain; charset=UTF-8 |
| 7 | Content-Transfer-Encoding: 8bit |
| 8 | |
| 9 | Per the ARM Generic Interrupt Controller Architecture specification |
| 10 | (document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit, |
| 11 | not 10: |
| 12 | |
| 13 | - 4.3 Distributor register descriptions |
| 14 | - 4.3.15 Software Generated Interrupt Register, GICD_SG |
| 15 | |
| 16 | - Table 4-21 GICD_SGIR bit assignments |
| 17 | |
| 18 | The Interrupt ID of the SGI to forward to the specified CPU |
| 19 | interfaces. The value of this field is the Interrupt ID, in |
| 20 | the range 0-15, for example a value of 0b0011 specifies |
| 21 | Interrupt ID 3. |
| 22 | |
| 23 | Correct the irq mask to fix an undefined behavior (which eventually |
| 24 | lead to a heap-buffer-overflow, see [Buglink]): |
| 25 | |
| 26 | $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio |
| 27 | [I 1612088147.116987] OPENED |
| 28 | [R +0.278293] writel 0x8000f00 0xff4affb0 |
| 29 | ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]' |
| 30 | SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13 |
| 31 | |
| 32 | This fixes a security issue when running with KVM on Arm with |
| 33 | kernel-irqchip=off. (The default is kernel-irqchip=on, which is |
| 34 | unaffected, and which is also the correct choice for performance.) |
| 35 | |
| 36 | Cc: qemu-stable@nongnu.org |
| 37 | Fixes: CVE-2021-20221 |
| 38 | Fixes: 9ee6e8bb853 ("ARMv7 support.") |
| 39 | Buglink: https://bugs.launchpad.net/qemu/+bug/1913916 |
| 40 | Buglink: https://bugs.launchpad.net/qemu/+bug/1913917 |
| 41 | Reported-by: Alexander Bulekov <alxndr@bu.edu> |
| 42 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> |
| 43 | Message-id: 20210131103401.217160-1-f4bug@amsat.org |
| 44 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> |
| 45 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> |
| 46 | |
| 47 | Upstream-Status: Backport [edfe2eb4360cde4ed5d95bda7777edcb3510f76a] |
| 48 | CVE: CVE-2021-20221 |
| 49 | |
| 50 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> |
| 51 | --- |
| 52 | hw/intc/arm_gic.c | 2 +- |
| 53 | 1 file changed, 1 insertion(+), 1 deletion(-) |
| 54 | |
| 55 | diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c |
| 56 | index c60dc6b5e..fbde60de0 100644 |
| 57 | --- a/hw/intc/arm_gic.c |
| 58 | +++ b/hw/intc/arm_gic.c |
| 59 | @@ -1474,7 +1474,7 @@ static void gic_dist_writel(void *opaque, hwaddr offset, |
| 60 | int target_cpu; |
| 61 | |
| 62 | cpu = gic_get_current_cpu(s); |
| 63 | - irq = value & 0x3ff; |
| 64 | + irq = value & 0xf; |
| 65 | switch ((value >> 24) & 3) { |
| 66 | case 0: |
| 67 | mask = (value >> 16) & ALL_CPU_MASK; |
| 68 | -- |
| 69 | 2.29.2 |
| 70 | |