thebeanogamer / rpms / qemu-kvm

Forked from rpms/qemu-kvm 5 months ago
Clone

Blame SOURCES/kvm-hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch

6e7d01
From dad4f9beaa3fd1eec1e0dd46c3d5cd2f444c0f48 Mon Sep 17 00:00:00 2001
6e7d01
From: Jon Maloy <jmaloy@redhat.com>
6e7d01
Date: Tue, 13 Apr 2021 20:05:51 -0400
6e7d01
Subject: [PATCH 1/7] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
6e7d01
MIME-Version: 1.0
6e7d01
Content-Type: text/plain; charset=UTF-8
6e7d01
Content-Transfer-Encoding: 8bit
6e7d01
6e7d01
RH-Author: Jon Maloy <jmaloy@redhat.com>
6e7d01
Message-id: <20210413200551.3825495-2-jmaloy@redhat.com>
6e7d01
Patchwork-id: 101471
6e7d01
O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 1/1] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
6e7d01
Bugzilla: 1925430
6e7d01
RH-Acked-by: Andrew Jones <drjones@redhat.com>
6e7d01
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
6e7d01
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
6e7d01
6e7d01
From: Philippe Mathieu-Daudé <f4bug@amsat.org>
6e7d01
6e7d01
Per the ARM Generic Interrupt Controller Architecture specification
6e7d01
(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
6e7d01
not 10:
6e7d01
6e7d01
  - 4.3 Distributor register descriptions
6e7d01
  - 4.3.15 Software Generated Interrupt Register, GICD_SG
6e7d01
6e7d01
    - Table 4-21 GICD_SGIR bit assignments
6e7d01
6e7d01
    The Interrupt ID of the SGI to forward to the specified CPU
6e7d01
    interfaces. The value of this field is the Interrupt ID, in
6e7d01
    the range 0-15, for example a value of 0b0011 specifies
6e7d01
    Interrupt ID 3.
6e7d01
6e7d01
Correct the irq mask to fix an undefined behavior (which eventually
6e7d01
lead to a heap-buffer-overflow, see [Buglink]):
6e7d01
6e7d01
   $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
6e7d01
   [I 1612088147.116987] OPENED
6e7d01
  [R +0.278293] writel 0x8000f00 0xff4affb0
6e7d01
  ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
6e7d01
  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
6e7d01
6e7d01
This fixes a security issue when running with KVM on Arm with
6e7d01
kernel-irqchip=off. (The default is kernel-irqchip=on, which is
6e7d01
unaffected, and which is also the correct choice for performance.)
6e7d01
6e7d01
Cc: qemu-stable@nongnu.org
6e7d01
Fixes: CVE-2021-20221
6e7d01
Fixes: 9ee6e8bb853 ("ARMv7 support.")
6e7d01
Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
6e7d01
Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
6e7d01
Reported-by: Alexander Bulekov <alxndr@bu.edu>
6e7d01
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
6e7d01
Message-id: 20210131103401.217160-1-f4bug@amsat.org
6e7d01
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
6e7d01
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
6e7d01
6e7d01
(cherry picked from commit edfe2eb4360cde4ed5d95bda7777edcb3510f76a)
6e7d01
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
6e7d01
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
6e7d01
---
6e7d01
 hw/intc/arm_gic.c | 2 +-
6e7d01
 1 file changed, 1 insertion(+), 1 deletion(-)
6e7d01
6e7d01
diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
6e7d01
index 1d7da7baa2..df355f4d11 100644
6e7d01
--- a/hw/intc/arm_gic.c
6e7d01
+++ b/hw/intc/arm_gic.c
6e7d01
@@ -1455,7 +1455,7 @@ static void gic_dist_writel(void *opaque, hwaddr offset,
6e7d01
         int target_cpu;
6e7d01
 
6e7d01
         cpu = gic_get_current_cpu(s);
6e7d01
-        irq = value & 0x3ff;
6e7d01
+        irq = value & 0xf;
6e7d01
         switch ((value >> 24) & 3) {
6e7d01
         case 0:
6e7d01
             mask = (value >> 16) & ALL_CPU_MASK;
6e7d01
-- 
6e7d01
2.27.0
6e7d01