qemu-arm
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-arm] [PATCH] intc: arm_gicv3: limit GICR ipriority index


From: Peter Maydell
Subject: Re: [Qemu-arm] [PATCH] intc: arm_gicv3: limit GICR ipriority index
Date: Tue, 5 Sep 2017 12:58:47 +0100

On 5 September 2017 at 12:21, P J P <address@hidden> wrote:
> From: Prasad J Pandit <address@hidden>
>
> When reading or writing to GICR ipriority array, index 'irq'
> could go beyond its bounds; Restrict it within array limits.
>
> Reported-by: Guoxiang Niu <address@hidden>
> Signed-off-by: Prasad J Pandit <address@hidden>
> ---
>  hw/intc/arm_gicv3_redist.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c
> index 77e5cfa327..7683c4cc7f 100644
> --- a/hw/intc/arm_gicv3_redist.c
> +++ b/hw/intc/arm_gicv3_redist.c
> @@ -187,7 +187,7 @@ static MemTxResult gicr_readl(GICv3CPUState *cs, hwaddr 
> offset,
>      case GICR_ICACTIVER0:
>          *data = gicr_read_bitmap_reg(cs, attrs, cs->gicr_iactiver0);
>          return MEMTX_OK;
> -    case GICR_IPRIORITYR ... GICR_IPRIORITYR + 0x1f:
> +    case GICR_IPRIORITYR ... GICR_IPRIORITYR + 0x1c:
>      {
>          int i, irq = offset - GICR_IPRIORITYR;
>          uint32_t value = 0;
> @@ -310,7 +310,7 @@ static MemTxResult gicr_writel(GICv3CPUState *cs, hwaddr 
> offset,
>      case GICR_ICACTIVER0:
>          gicr_write_clear_bitmap_reg(cs, attrs, &cs->gicr_iactiver0, value);
>          return MEMTX_OK;
> -    case GICR_IPRIORITYR ... GICR_IPRIORITYR + 0x1f:
> +    case GICR_IPRIORITYR ... GICR_IPRIORITYR + 0x1c:
>      {
>          int i, irq = offset - GICR_IPRIORITYR;

Why do you think the buffer can be overrun? These functions
are the word (4 byte) access functions, and they cannot
be called with a non-4-aligned offset (see the asserts in
gicv3_redist_read() and gicv3_redist_write()).

thanks
-- PMM



reply via email to

[Prev in Thread] Current Thread [Next in Thread]