From: kiki <[email protected]> A malformed IVE value can result in an invalid server field being passed to icp_irq(). The function assumes the server id is valid and may access invalid state otherwise, potentially leading to a crash.
Fix this by validating the server id before using it and ignoring invalid values. Reported-by: Zexiang Zhang <[email protected]> Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3324 Signed-off-by: Zexiang Zhang <[email protected]> Signed-off-by: Gautam Menghani <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Link: https://lore.kernel.org/qemu-devel/[email protected] Signed-off-by: Harsh Prateek Bora <[email protected]> (cherry picked from commit 1aee8067fce95d15061eca8fbb6772d8a90ea699) Signed-off-by: Michael Tokarev <[email protected]> diff --git a/hw/intc/xics.c b/hw/intc/xics.c index bb8504f53d..bb328eb0df 100644 --- a/hw/intc/xics.c +++ b/hw/intc/xics.c @@ -26,6 +26,7 @@ */ #include "qemu/osdep.h" +#include "qemu/log.h" #include "qapi/error.h" #include "trace.h" #include "qemu/timer.h" @@ -222,6 +223,13 @@ void icp_irq(ICSState *ics, int server, int nr, uint8_t priority) trace_xics_icp_irq(server, nr, priority); + if (!icp) { + qemu_log_mask(LOG_GUEST_ERROR, "XICS: invalid server %d for IRQ 0x%x\n", + server, nr); + ics_reject(ics, nr); + return; + } + if ((priority >= CPPR(icp)) || (XISR(icp) && (icp->pending_priority <= priority))) { ics_reject(ics, nr); -- 2.47.3
