| Message ID | 20220122182444.724087-12-peter.maydell@linaro.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | arm_gicv3_its: Implement MOVI and MOVALL commands | expand |
On 1/23/22 05:24, Peter Maydell wrote: > The ITS has a bank of 8 GITS_BASER<n> registers, which allow the > guest to specify the base address of various data tables. Each > register has a read-only type field indicating which table it is for > and a read-write field where the guest can write in the base address > (among other things). We currently allow the guest to write the > writeable fields for all eight registers, even if the type field is 0 > indicating "Unimplemented". This means the guest can provoke QEMU > into asserting by writing an address into one of these unimplemented > base registers, which bypasses the "if (!value) continue" check in > extract_table_params() and lets us hit the assertion that the type > field is one of the permitted table types. > > Prevent the assertion by not allowing the guest to write to the > unimplemented base registers. This means their value will remain 0 > and extract_table_params() will ignore them. > > > Signed-off-by: Peter Maydell<peter.maydell@linaro.org> > --- > hw/intc/arm_gicv3_its.c | 8 ++++++++ > 1 file changed, 8 insertions(+) Reviewed-by: Richard Henderson <richard.henderson@linaro.org> r~
diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c index b17f2631269..237198845d7 100644 --- a/hw/intc/arm_gicv3_its.c +++ b/hw/intc/arm_gicv3_its.c @@ -929,6 +929,10 @@ static bool its_writel(GICv3ITSState *s, hwaddr offset, if (!(s->ctlr & R_GITS_CTLR_ENABLED_MASK)) { index = (offset - GITS_BASER) / 8; + if (s->baser[index] == 0) { + /* Unimplemented GITS_BASERn: RAZ/WI */ + break; + } if (offset & 7) { value <<= 32; value &= ~GITS_BASER_RO_MASK; @@ -1025,6 +1029,10 @@ static bool its_writell(GICv3ITSState *s, hwaddr offset, */ if (!(s->ctlr & R_GITS_CTLR_ENABLED_MASK)) { index = (offset - GITS_BASER) / 8; + if (s->baser[index] == 0) { + /* Unimplemented GITS_BASERn: RAZ/WI */ + break; + } s->baser[index] &= GITS_BASER_RO_MASK; s->baser[index] |= (value & ~GITS_BASER_RO_MASK); }
The ITS has a bank of 8 GITS_BASER<n> registers, which allow the guest to specify the base address of various data tables. Each register has a read-only type field indicating which table it is for and a read-write field where the guest can write in the base address (among other things). We currently allow the guest to write the writeable fields for all eight registers, even if the type field is 0 indicating "Unimplemented". This means the guest can provoke QEMU into asserting by writing an address into one of these unimplemented base registers, which bypasses the "if (!value) continue" check in extract_table_params() and lets us hit the assertion that the type field is one of the permitted table types. Prevent the assertion by not allowing the guest to write to the unimplemented base registers. This means their value will remain 0 and extract_table_params() will ignore them. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/intc/arm_gicv3_its.c | 8 ++++++++ 1 file changed, 8 insertions(+)