On 07/12/2018 10:41 AM, Peter Maydell wrote: > In gic_deactivate_irq() the interrupt number comes from the guest > (on a write to the GICC_DIR register), so we need to sanity check > that it isn't out of range before we use it as an array index. > Handle this in a similar manner to the check we do in > gic_complete_irq() for the GICC_EOI register. > > The array overrun is not disastrous because the calling code > uses (value & 0x3ff) to extract the interrupt field, so the > only out-of-range values possible are 1020..1023, which allow > overrunning only from irq_state[] into the following > irq_target[] array which the guest can already manipulate. > > Signed-off-by: Peter Maydell <peter.mayd...@linaro.org> > --- > hw/intc/arm_gic.c | 16 +++++++++++++++- > 1 file changed, 15 insertions(+), 1 deletion(-)
Reviewed-by: Richard Henderson <richard.hender...@linaro.org> r~