motorhead/qemu
1
0
Fork 0
mirror of https://github.com/Motorhead1991/qemu.git synced 2025-08-02 07:13:54 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions
qemu/hw/intc
History
Peter Maydell 80dcd37feb hw/intc/arm_gicv3_its: Fix various off-by-one errors 
The ITS code has to check whether various parameters passed in
commands are in-bounds, where the limit is defined in terms of the
number of bits that are available for the parameter.  (For example,
the GITS_TYPER.Devbits ID register field specifies the number of
DeviceID bits minus 1, and device IDs passed in the MAPTI and MAPD
command packets must fit in that many bits.)

Currently we have off-by-one bugs in many of these bounds checks.
The typical problem is that we define a max_foo as 1 << n. In
the Devbits example, we set
  s->dt.max_ids = 1UL << (GITS_TYPER.Devbits + 1).
However later when we do the bounds check we write
  if (devid > s->dt.max_ids) { /* command error */ }
which incorrectly permits a devid of 1 << n.

These bugs will not cause QEMU crashes because the ID values being
checked are only used for accesses into tables held in guest memory
which we access with address_space_*() functions, but they are
incorrect behaviour of our emulation.

Fix them by standardizing on this pattern:
 * bounds limits are named num_foos and are the 2^n value
   (equal to the number of valid foo values)
 * bounds checks are either
   if (fooid < num_foos) { good }
   or
   if (fooid >= num_foos) { bad }

In this commit we fix the handling of the number of IDs
in the device table and the collection table, and the number
of commands that will fit in the command queue.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
2022-01-07 17:08:00 +00:00
..
allwinner-a10-pic.c Clean up inclusion of sysemu/sysemu.h 2019-08-16 13:31:53 +02:00
apic.c Do not include cpu.h if it's not really necessary 2021-05-02 17:24:51 +02:00
apic_common.c Do not include cpu.h if it's not really necessary 2021-05-02 17:24:51 +02:00
arm_gic.c hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register 2021-02-02 17:00:55 +00:00
arm_gic_common.c arm_gic: Mask the un-supported priority bits 2020-02-28 16:14:57 +00:00
arm_gic_kvm.c Do not include cpu.h if it's not really necessary 2021-05-02 17:24:51 +02:00
arm_gicv2m.c arm tcg cpus: Fix Lesser GPL version number 2020-11-15 16:42:14 +01:00
arm_gicv3.c hw/intc/arm_gicv3: Introduce CONFIG_ARM_GIC_TCG Kconfig selector 2021-12-15 10:35:10 +00:00
arm_gicv3_common.c hw/intc/arm_gicv3: Support multiple redistributor regions 2021-11-15 16:12:59 +00:00
arm_gicv3_cpuif.c hw/intc/arm_gicv3: Extract gicv3_set_gicv3state from arm_gicv3_cpuif.c 2021-12-15 10:11:34 +00:00
arm_gicv3_cpuif_common.c hw/intc/arm_gicv3: Extract gicv3_set_gicv3state from arm_gicv3_cpuif.c 2021-12-15 10:11:34 +00:00
arm_gicv3_dist.c hw/intc: GICv3 ITS Feature enablement 2021-09-13 21:01:08 +01:00
arm_gicv3_its.c hw/intc/arm_gicv3_its: Fix various off-by-one errors 2022-01-07 17:08:00 +00:00
arm_gicv3_its_common.c hw/intc/arm_gicv3_its: Revert version increments in vmstate_its 2021-11-22 18:17:19 +00:00
arm_gicv3_its_kvm.c hw/intc: GICv3 ITS initial framework 2021-09-13 16:07:54 +01:00
arm_gicv3_kvm.c hw/intc/arm_gicv3: Support multiple redistributor regions 2021-11-15 16:12:59 +00:00
arm_gicv3_redist.c hw/intc/arm_gicv3: Update cached state after LPI state changes 2021-11-26 16:57:51 +00:00
armv7m_nvic.c arm: Move system PPB container handling to armv7m 2021-09-01 11:08:18 +01:00
aspeed_vic.c Include migration/vmstate.h less 2019-08-16 13:31:52 +02:00
bcm2835_ic.c hw/intc/bcm2835_ic: Trace GPU/CPU IRQ handlers 2020-10-20 16:12:00 +01:00
bcm2836_control.c hw/intc/bcm2836_control: Use IRQ definitions instead of magic numbers 2020-10-20 16:12:00 +01:00
etraxfs_pic.c hw: Replace anti-social QOM type names 2021-03-19 15:18:43 +01:00
exynos4210_combiner.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
exynos4210_gic.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
gic_internal.h hw/intc/arm_gic: Drop GIC_BASE_IRQ macro 2018-09-25 15:13:24 +01:00
gicv3_internal.h hw/intc/arm_gicv3_its: Use FIELD macros for CTEs 2022-01-07 17:07:59 +00:00
goldfish_pic.c hw/m68k: Fix typo in SPDX tag 2021-11-09 10:11:27 +01:00
grlib_irqmp.c Do not include cpu.h if it's not really necessary 2021-05-02 17:24:51 +02:00
heathrow_pic.c Include hw/hw.h exactly where needed 2019-08-16 13:31:52 +02:00
i8259.c hw/intc/i8259: Refactor pic_read_irq() to avoid uninitialized variable 2021-03-19 08:48:18 -04:00
i8259_common.c isa: Convert uses of isa_create() with Coccinelle 2020-06-15 22:05:28 +02:00
imx_avic.c Include migration/vmstate.h less 2019-08-16 13:31:52 +02:00
imx_gpcv2.c hw: Do not include qemu/log.h if it is not necessary 2021-05-02 17:24:50 +02:00
intc.c intc: add an interface to gather statistics/informations on interrupt controllers 2016-10-04 10:00:25 +02:00
ioapic.c Remove superfluous timer_del() calls 2021-01-08 15:13:38 +00:00
ioapic_common.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
Kconfig hw/intc/arm_gicv3: Introduce CONFIG_ARM_GIC_TCG Kconfig selector 2021-12-15 10:35:10 +00:00
loongson_liointc.c hw/intc/loongson_liointc: Fix per core ISR handling 2021-02-21 18:41:46 +01:00
m68k_irqc.c hw/m68k: Fix typo in SPDX tag 2021-11-09 10:11:27 +01:00
meson.build hw/intc/arm_gicv3: Introduce CONFIG_ARM_GIC_TCG Kconfig selector 2021-12-15 10:35:10 +00:00
mips_gic.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
omap_intc.c omap_intc: Use typedef name for instance_size 2020-09-09 13:20:22 -04:00
ompic.c hw: Do not include qemu/log.h if it is not necessary 2021-05-02 17:24:50 +02:00
openpic.c hw/intc: openpic: Clean up the styles 2021-09-30 12:26:06 +10:00
openpic_kvm.c memory: Name all the memory listeners 2021-09-30 15:30:24 +02:00
pl190.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
pnv_xive.c dma: Let ld*_dma() propagate MemTxResult 2021-12-31 01:05:27 +01:00
pnv_xive_regs.h ppc/pnv: add a XIVE interrupt controller model for POWER9 2019-03-12 14:33:04 +11:00
ppc-uic.c misc: Correct relative include path 2021-06-05 21:10:42 +02:00
realview_gic.c error: Eliminate error_propagate() with Coccinelle, part 1 2020-07-10 15:18:08 +02:00
riscv_aclint.c hw/intc: Upgrade the SiFive CLINT implementation to RISC-V ACLINT 2021-09-21 07:56:49 +10:00
rx_icu.c hw/intc: fix heap-buffer-overflow in rxicu_realize() 2020-11-23 10:41:58 +00:00
s390_flic.c Do not include cpu.h if it's not really necessary 2021-05-02 17:24:51 +02:00
s390_flic_kvm.c target/s390x: move kvm files into kvm/ 2021-07-07 14:01:59 +02:00
sh_intc.c hw/intc/sh_intc: Remove unneeded local variable initialisers 2021-10-30 18:39:37 +02:00
sifive_plic.c hw/intc: sifive_plic: Cleanup the irq_request function 2021-10-22 23:35:47 +10:00
slavio_intctl.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
spapr_xive.c dma: Let dma_memory_rw() take MemTxAttrs argument 2021-12-30 17:16:32 +01:00
spapr_xive_kvm.c spapr/xive: Use xive_esb_rw() to trigger interrupts 2021-10-21 11:42:47 +11:00
trace-events hw/sh4: Change debug printfs to traces 2021-10-30 18:39:37 +02:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
vgic_common.h intc/gic: Extract some reusable vGIC code 2015-09-24 01:29:36 +01:00
xics.c Do not include cpu.h if it's not really necessary 2021-05-02 17:24:51 +02:00
xics_kvm.c Do not include cpu.h if it's not really necessary 2021-05-02 17:24:51 +02:00
xics_pnv.c non-virt: Fix Lesser GPL version number 2020-11-15 16:38:24 +01:00
xics_spapr.c Do not include cpu.h if it's not really necessary 2021-05-02 17:24:51 +02:00
xilinx_intc.c Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
xive.c dma: Let dma_memory_read/write() take MemTxAttrs argument 2021-12-30 17:16:32 +01:00
xlnx-pmu-iomod-intc.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
xlnx-zynqmp-ipi.c Include migration/vmstate.h less 2019-08-16 13:31:52 +02:00