mirror of
https://gitlab.com/qemu-project/qemu
synced 2024-11-05 20:35:44 +00:00
8b8bb0146b
Currently when we fill in a TableDesc based on the value the guest has written to the GITS_BASER<n> register, we calculate both: * num_entries : the number of entries in the table, constrained by the amount of memory the guest has given it * num_ids : the number of IDs we support for this table, constrained by the implementation choices and the architecture (eg DeviceIDs are 16 bits, so num_ids is 1 << 16) When validating ITS commands, however, we check only num_ids, thus allowing a broken guest to specify table entries that index off the end of it. This will only corrupt guest memory, but the ITS is supposed to reject such commands as invalid. Instead of calculating both num_entries and num_ids, set num_entries to the minimum of the two limits, and check that. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220122182444.724087-13-peter.maydell@linaro.org |
||
|---|---|---|
| .. | ||
| authz | ||
| block | ||
| chardev | ||
| crypto | ||
| disas | ||
| exec | ||
| fpu | ||
| hw | ||
| io | ||
| libdecnumber | ||
| migration | ||
| monitor | ||
| net | ||
| qapi | ||
| qemu | ||
| qom | ||
| scsi | ||
| semihosting | ||
| standard-headers | ||
| sysemu | ||
| tcg | ||
| ui | ||
| user | ||
| elf.h | ||
| glib-compat.h | ||
| qemu-common.h | ||
| qemu-io.h | ||
| trace-tcg.h | ||