yeahuh / rpms / qemu-kvm

Forked from rpms/qemu-kvm 2 years ago
Clone

Blame SOURCES/kvm-hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch

dc7afb
From dad4f9beaa3fd1eec1e0dd46c3d5cd2f444c0f48 Mon Sep 17 00:00:00 2001
dc7afb
From: Jon Maloy <jmaloy@redhat.com>
dc7afb
Date: Tue, 13 Apr 2021 20:05:51 -0400
dc7afb
Subject: [PATCH 1/7] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
dc7afb
MIME-Version: 1.0
dc7afb
Content-Type: text/plain; charset=UTF-8
dc7afb
Content-Transfer-Encoding: 8bit
dc7afb
dc7afb
RH-Author: Jon Maloy <jmaloy@redhat.com>
dc7afb
Message-id: <20210413200551.3825495-2-jmaloy@redhat.com>
dc7afb
Patchwork-id: 101471
dc7afb
O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 1/1] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
dc7afb
Bugzilla: 1925430
dc7afb
RH-Acked-by: Andrew Jones <drjones@redhat.com>
dc7afb
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
dc7afb
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
dc7afb
dc7afb
From: Philippe Mathieu-Daudé <f4bug@amsat.org>
dc7afb
dc7afb
Per the ARM Generic Interrupt Controller Architecture specification
dc7afb
(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
dc7afb
not 10:
dc7afb
dc7afb
  - 4.3 Distributor register descriptions
dc7afb
  - 4.3.15 Software Generated Interrupt Register, GICD_SG
dc7afb
dc7afb
    - Table 4-21 GICD_SGIR bit assignments
dc7afb
dc7afb
    The Interrupt ID of the SGI to forward to the specified CPU
dc7afb
    interfaces. The value of this field is the Interrupt ID, in
dc7afb
    the range 0-15, for example a value of 0b0011 specifies
dc7afb
    Interrupt ID 3.
dc7afb
dc7afb
Correct the irq mask to fix an undefined behavior (which eventually
dc7afb
lead to a heap-buffer-overflow, see [Buglink]):
dc7afb
dc7afb
   $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
dc7afb
   [I 1612088147.116987] OPENED
dc7afb
  [R +0.278293] writel 0x8000f00 0xff4affb0
dc7afb
  ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
dc7afb
  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
dc7afb
dc7afb
This fixes a security issue when running with KVM on Arm with
dc7afb
kernel-irqchip=off. (The default is kernel-irqchip=on, which is
dc7afb
unaffected, and which is also the correct choice for performance.)
dc7afb
dc7afb
Cc: qemu-stable@nongnu.org
dc7afb
Fixes: CVE-2021-20221
dc7afb
Fixes: 9ee6e8bb853 ("ARMv7 support.")
dc7afb
Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
dc7afb
Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
dc7afb
Reported-by: Alexander Bulekov <alxndr@bu.edu>
dc7afb
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
dc7afb
Message-id: 20210131103401.217160-1-f4bug@amsat.org
dc7afb
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
dc7afb
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
dc7afb
dc7afb
(cherry picked from commit edfe2eb4360cde4ed5d95bda7777edcb3510f76a)
dc7afb
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
dc7afb
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
dc7afb
---
dc7afb
 hw/intc/arm_gic.c | 2 +-
dc7afb
 1 file changed, 1 insertion(+), 1 deletion(-)
dc7afb
dc7afb
diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
dc7afb
index 1d7da7baa2..df355f4d11 100644
dc7afb
--- a/hw/intc/arm_gic.c
dc7afb
+++ b/hw/intc/arm_gic.c
dc7afb
@@ -1455,7 +1455,7 @@ static void gic_dist_writel(void *opaque, hwaddr offset,
dc7afb
         int target_cpu;
dc7afb
 
dc7afb
         cpu = gic_get_current_cpu(s);
dc7afb
-        irq = value & 0x3ff;
dc7afb
+        irq = value & 0xf;
dc7afb
         switch ((value >> 24) & 3) {
dc7afb
         case 0:
dc7afb
             mask = (value >> 16) & ALL_CPU_MASK;
dc7afb
-- 
dc7afb
2.27.0
dc7afb