fridtjof/qemu-cr16
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
qemu-cr16/include/hw
History
Peter Maydell 80dcd37feb hw/intc/arm_gicv3_its: Fix various off-by-one errors 
The ITS code has to check whether various parameters passed in
commands are in-bounds, where the limit is defined in terms of the
number of bits that are available for the parameter.  (For example,
the GITS_TYPER.Devbits ID register field specifies the number of
DeviceID bits minus 1, and device IDs passed in the MAPTI and MAPD
command packets must fit in that many bits.)

Currently we have off-by-one bugs in many of these bounds checks.
The typical problem is that we define a max_foo as 1 << n. In
the Devbits example, we set
  s->dt.max_ids = 1UL << (GITS_TYPER.Devbits + 1).
However later when we do the bounds check we write
  if (devid > s->dt.max_ids) { /* command error */ }
which incorrectly permits a devid of 1 << n.

These bugs will not cause QEMU crashes because the ID values being
checked are only used for accesses into tables held in guest memory
which we access with address_space_*() functions, but they are
incorrect behaviour of our emulation.

Fix them by standardizing on this pattern:
 * bounds limits are named num_foos and are the 2^n value
   (equal to the number of valid foo values)
 * bounds checks are either
   if (fooid < num_foos) { good }
   or
   if (fooid >= num_foos) { bad }

In this commit we fix the handling of the number of IDs
in the device table and the collection table, and the number
of commands that will fit in the command queue.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
2022-01-07 17:08:00 +00:00
..
acpi hw/acpi/ich9: Add compat prop to keep HPC bit set for 6.1 machine type 2021-11-15 09:44:46 -05:00
adc hw/adc: Add basic Aspeed ADC model 2021-10-12 08:20:08 +02:00
arm Add dummy Aspeed AST2600 Display Port MCU (DPMCU) 2022-01-07 17:07:57 +00:00
audio qom: Put name parameter before value / visitor parameter 2020-07-10 15:18:08 +02:00
block block: Add backend_defaults property 2021-07-06 14:28:55 +01:00
char hw/m68k: Fix typo in SPDX tag 2021-11-09 10:11:27 +01:00
core linux-user: Add code for PR_GET/SET_UNALIGN 2022-01-06 11:40:52 +01:00
cpu Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
cris hw: Replace anti-social QOM type names 2021-03-19 15:18:43 +01:00
display macfb: add vertical blank interrupt 2021-10-08 13:31:03 +02:00
dma hw/dma/xlnx-zdma Always expect 'dma' link property to be set 2021-08-26 17:01:59 +01:00
firmware hw/smbios: support for type 41 (onboard devices extended information) 2021-05-14 10:26:18 -04:00
gpio hw: aspeed_gpio: Fix GPIO array indexing 2021-10-12 08:20:08 +02:00
hyperv Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
i2c aspeed/i2c: QOMify AspeedI2CBus 2021-10-12 08:20:08 +02:00
i386 hw: Add compat machines for 7.0 2022-01-05 09:06:36 +01:00
ide ide: Rename ide_bus_new() to ide_bus_init() 2021-09-30 13:44:13 +01:00
input hw/input/lm832x: Define TYPE_LM8323 in public header 2021-07-08 14:15:01 -05:00
intc hw/intc/arm_gicv3_its: Fix various off-by-one errors 2022-01-07 17:08:00 +00:00
ipack ipack: Rename ipack_bus_new_inplace() to ipack_bus_init() 2021-09-30 13:42:10 +01:00
ipmi Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
isa vt82c686: Add a method to VIA_ISA to raise ISA interrupts 2021-10-18 00:41:36 +02:00
kvm target/i386: always create kvmclock device 2020-09-30 19:11:36 +02:00
m68k hw/m68k/next-cube: Add missing header comment to next-cube.h 2021-01-19 09:11:52 +01:00
mem pc-dimm: remove unnecessary get_vmstate_memory_region() method 2021-05-14 10:26:18 -04:00
mips hw/mips: Add a bootloader helper 2021-02-21 18:41:04 +01:00
misc hw/m68k: Fix typo in SPDX tag 2021-11-09 10:11:27 +01:00
net hw/net: Add npcm7xx emc model 2021-03-05 15:17:34 +00:00
nubus nubus: add support for slot IRQs 2021-09-29 10:45:19 +02:00
nvram hw/nvram: Introduce Xilinx battery-backed ram 2021-09-30 13:42:10 +01:00
pci pci: Let ld*_pci_dma() propagate MemTxResult 2021-12-31 01:05:27 +01:00
pci-bridge Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
pci-host ppc/pnv: Remove the PHB4 "device-id" property 2022-01-04 07:55:34 +01:00
ppc dma: Let ld*_dma() propagate MemTxResult 2021-12-31 01:05:27 +01:00
rdma qapi: introduce x-query-rdma QMP command 2021-11-02 15:55:14 +00:00
remote multi-process: perform device reset in the remote process 2021-02-10 09:23:28 +00:00
riscv hw/riscv: microchip_pfsoc: Use the PLIC config helper function 2021-10-28 14:39:23 +10:00
rtc m48t59: remove legacy m48t59_init() function 2020-10-18 16:21:42 +01:00
rx Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
s390x s390x/pci: add supported DT information to clp response 2021-12-17 09:12:37 +01:00
scsi hw/scsi: Fix scsi_bus_init_named() docstring 2021-12-18 10:57:36 +01:00
sd hw/sd: add nuvoton MMC 2021-11-02 14:14:55 -04:00
sensor sensor: Move hardware sensors from misc to a sensor directory 2021-06-17 07:10:32 -05:00
sh4 hw/intc/sh_intc: Inline and drop sh_intc_source() function 2021-10-30 18:39:37 +02:00
southbridge Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
sparc hw: Replace anti-social QOM type names 2021-03-19 15:18:43 +01:00
ssi aspeed/smc: Use a container for the flash mmio address space 2021-10-22 09:52:17 +02:00
timer hw/timer: Add SiFive PWM support 2021-09-21 07:56:49 +10:00
tricore hw/tricore: Add testdevice for tests in tests/tcg/ 2021-05-18 09:36:21 +01:00
usb usb-storage: tag usb_msd_csw as packed struct 2021-11-02 17:24:18 +01:00
vfio vfio: Query and store the maximum number of possible DMA mappings 2021-07-08 15:54:45 -04:00
virtio virtio-gpu: do not byteswap padding 2021-12-10 09:47:18 +01:00
watchdog watchdog: aspeed: Sanitize control register values 2021-09-20 08:50:59 +02:00
xen xen: Free xenforeignmemory_resource at exit 2021-05-10 13:43:58 +01:00
xtensa
boards.h hw: Add compat machines for 7.0 2022-01-05 09:06:36 +01:00
clock.h host-utils: add 128-bit quotient support to divu128/divs128 2021-10-27 17:10:00 -07:00
elf_ops.h hw/elf_ops.h: switch to ssize_t for elf loader return type 2021-10-20 16:26:19 -07:00
fw-path-provider.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
hotplug.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
hw.h
ide.h hw/ide: Move MAX_IDE_DEVS define to hw/ide/internal.h 2020-03-17 12:22:36 -04:00
irq.h include/hw/irq.h: New function qemu_irq_is_connected() 2020-08-03 17:55:03 +01:00
loader-fit.h nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
loader.h hw/elf_ops.h: switch to ssize_t for elf loader return type 2021-10-20 16:26:19 -07:00
nmi.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
or-irq.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
pcmcia.h Use OBJECT_DECLARE_TYPE when possible 2020-09-18 14:12:32 -04:00
platform-bus.h nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
ptimer.h ptimer: Add new ptimer_set_period_from_clock() function 2021-01-29 15:54:42 +00:00
qdev-clock.h clock: Add ClockEvent parameter to callbacks 2021-03-08 17:20:01 +00:00
qdev-core.h hw/qdev: Rename qdev_connect_gpio_out*() 'input_pin' parameter 2021-12-31 13:21:36 +01:00
qdev-dma.h
qdev-properties-system.h qdev: Reuse DEFINE_PROP in all DEFINE_PROP_* macros 2020-12-18 15:20:17 -05:00
qdev-properties.h qdev-properties: PropertyInfo: add realized_set_allowed field 2021-09-01 12:57:31 +02:00
register.h hw/core/register: Add more 64-bit utilities 2021-09-01 11:59:12 +10:00
registerfields.h hw/registerfields: Use 64-bit bitfield for FIELD_DP64 2021-09-01 11:59:12 +10:00
resettable.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
stream.h hw/core/stream: Rename StreamSlave as StreamSink 2020-12-10 12:15:04 -05:00
sysbus.h qom: Remove module_obj_name parameter from OBJECT_DECLARE* macros 2020-09-18 14:12:32 -04:00
usb.h usb: drop usb_host_dev_is_scsi_storage hook 2021-07-09 18:21:33 +02:00
vmstate-if.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00