Forwarding to qemu-security@ to see if this issue is worth a CVE.
On 1/31/21 12:57 PM, P J P wrote:
> +-- On Sun, 31 Jan 2021, Philippe Mathieu-Daudé wrote --+
> | On 1/31/21 11:34 AM, Philippe Mathieu-Daudé wrote:
> | > Per the ARM Generic Interrupt Controller Architecture specification
> | > (document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
> | > not 10:
> | >
> | > - Table 4-21 GICD_SGIR bit assignments
> | >
> | > The Interrupt ID of the SGI to forward to the specified CPU
> | > interfaces. The value of this field is the Interrupt ID, in
> | > the range 0-15, for example a value of 0b0011 specifies
> | > Interrupt ID 3.
> | >
> | > diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
> | > index af41e2fb448..75316329516 100644
> | > --- a/hw/intc/arm_gic.c
> | > +++ b/hw/intc/arm_gic.c
> | > @@ -1476,7 +1476,7 @@ static void gic_dist_writel(void *opaque, hwaddr
> offset,
> | > int target_cpu;
> | >
> | > cpu = gic_get_current_cpu(s);
> | > - irq = value & 0x3ff;
> | > + irq = value & 0xf;
> | > switch ((value >> 24) & 3) {
> | > case 0:
> | > mask = (value >> 16) & ALL_CPU_MASK;
> | >
>
> * Looks okay.
>
>
> | > Correct the irq mask to fix an undefined behavior (which eventually
> | > lead to a heap-buffer-overflow, see [Buglink]):
> | >
> | > $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M
> virt,accel=qtest -qtest stdio
> | > [I 1612088147.116987] OPENED
> | > [R +0.278293] writel 0x8000f00 0xff4affb0
> | > ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds
> for type 'uint8_t [16][8]'
> | > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> ../hw/intc/arm_gic.c:1498:13
> | >
> | > Cc: qemu-sta...@nongnu.org
> | > Fixes: 9ee6e8bb853 ("ARMv7 support.")
> | > Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
> | > Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
> |
> | > ---
> | > Isnt it worth a CVE to help distributions track backports?
> | > ---
>
> * Please send such report(s) to 'qemu-security' list to be triaged as
> potential security ones.
>
>
> Thank you.
> --
> Prasad J Pandit / Red Hat Product Security Team
> 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
>