yeahuh / rpms / qemu-kvm

Forked from rpms/qemu-kvm 2 years ago
Clone

Blame SOURCES/kvm-hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch

1072c8
From dad4f9beaa3fd1eec1e0dd46c3d5cd2f444c0f48 Mon Sep 17 00:00:00 2001
a6baaf
From: Jon Maloy <jmaloy@redhat.com>
1072c8
Date: Tue, 13 Apr 2021 20:05:51 -0400
1072c8
Subject: [PATCH 1/7] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
a6baaf
MIME-Version: 1.0
a6baaf
Content-Type: text/plain; charset=UTF-8
a6baaf
Content-Transfer-Encoding: 8bit
a6baaf
a6baaf
RH-Author: Jon Maloy <jmaloy@redhat.com>
1072c8
Message-id: <20210413200551.3825495-2-jmaloy@redhat.com>
1072c8
Patchwork-id: 101471
1072c8
O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 1/1] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
1072c8
Bugzilla: 1925430
1072c8
RH-Acked-by: Andrew Jones <drjones@redhat.com>
1072c8
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
a6baaf
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
a6baaf
a6baaf
From: Philippe Mathieu-Daudé <f4bug@amsat.org>
a6baaf
a6baaf
Per the ARM Generic Interrupt Controller Architecture specification
a6baaf
(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
a6baaf
not 10:
a6baaf
a6baaf
  - 4.3 Distributor register descriptions
a6baaf
  - 4.3.15 Software Generated Interrupt Register, GICD_SG
a6baaf
a6baaf
    - Table 4-21 GICD_SGIR bit assignments
a6baaf
a6baaf
    The Interrupt ID of the SGI to forward to the specified CPU
a6baaf
    interfaces. The value of this field is the Interrupt ID, in
a6baaf
    the range 0-15, for example a value of 0b0011 specifies
a6baaf
    Interrupt ID 3.
a6baaf
a6baaf
Correct the irq mask to fix an undefined behavior (which eventually
a6baaf
lead to a heap-buffer-overflow, see [Buglink]):
a6baaf
a6baaf
   $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
a6baaf
   [I 1612088147.116987] OPENED
a6baaf
  [R +0.278293] writel 0x8000f00 0xff4affb0
a6baaf
  ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
a6baaf
  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
a6baaf
a6baaf
This fixes a security issue when running with KVM on Arm with
a6baaf
kernel-irqchip=off. (The default is kernel-irqchip=on, which is
a6baaf
unaffected, and which is also the correct choice for performance.)
a6baaf
a6baaf
Cc: qemu-stable@nongnu.org
a6baaf
Fixes: CVE-2021-20221
a6baaf
Fixes: 9ee6e8bb853 ("ARMv7 support.")
a6baaf
Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
a6baaf
Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
a6baaf
Reported-by: Alexander Bulekov <alxndr@bu.edu>
a6baaf
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
a6baaf
Message-id: 20210131103401.217160-1-f4bug@amsat.org
a6baaf
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
a6baaf
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
a6baaf
a6baaf
(cherry picked from commit edfe2eb4360cde4ed5d95bda7777edcb3510f76a)
a6baaf
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
a6baaf
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
a6baaf
---
a6baaf
 hw/intc/arm_gic.c | 2 +-
a6baaf
 1 file changed, 1 insertion(+), 1 deletion(-)
a6baaf
a6baaf
diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
a6baaf
index 1d7da7baa2..df355f4d11 100644
a6baaf
--- a/hw/intc/arm_gic.c
a6baaf
+++ b/hw/intc/arm_gic.c
a6baaf
@@ -1455,7 +1455,7 @@ static void gic_dist_writel(void *opaque, hwaddr offset,
a6baaf
         int target_cpu;
a6baaf
 
a6baaf
         cpu = gic_get_current_cpu(s);
a6baaf
-        irq = value & 0x3ff;
a6baaf
+        irq = value & 0xf;
a6baaf
         switch ((value >> 24) & 3) {
a6baaf
         case 0:
a6baaf
             mask = (value >> 16) & ALL_CPU_MASK;
a6baaf
-- 
a6baaf
2.27.0
a6baaf