Upstream patch: -> https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg00709.html
-- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1914353 Title: QEMU: aarch64: :GIC: out-of-bounds access via interrupt ID Status in QEMU: New Bug description: Via [qemu-security] list +-- On Sun, 31 Jan 2021, Philippe Mathieu-Daudé wrote --+ | On 1/31/21 11:34 AM, Philippe Mathieu-Daudé wrote: | > Per the ARM Generic Interrupt Controller Architecture specification | > (document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit, | > not 10: | > | > - Table 4-21 GICD_SGIR bit assignments | > | > The Interrupt ID of the SGI to forward to the specified CPU | > interfaces. The value of this field is the Interrupt ID, in | > the range 0-15, for example a value of 0b0011 specifies | > Interrupt ID 3. | > ... | > Correct the irq mask to fix an undefined behavior (which eventually | > lead to a heap-buffer-overflow, see [Buglink]): | > | > $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio | > [I 1612088147.116987] OPENED | > [R +0.278293] writel 0x8000f00 0xff4affb0 | > ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]' | > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13 | > | > Cc: qemu-sta...@nongnu.org | > Fixes: 9ee6e8bb853 ("ARMv7 support.") | > Buglink: https://bugs.launchpad.net/qemu/+bug/1913916 | > Buglink: https://bugs.launchpad.net/qemu/+bug/1913917 ... On 210202 1221, Peter Maydell wrote: > In both cases the overrun is on the first writel to 0x8000f00, > but the fuzzer has for some reason not reported that but instead > blundered on until it happens to trigger some other issue that > resulted from the memory corruption it induced with the first write. > ... > On the CVE: > > Since this can affect systems using KVM, this is a security bug for > us. However, it only affects an uncommon configuration: > you are only vulnerable if you are using "kernel-irqchip=off" > (the default is 'on', and turning it off is an odd thing to do). > > thanks > -- PMM > To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1914353/+subscriptions