Peter Maydell <peter.mayd...@linaro.org> writes:
> We set the TableDesc entry_sz field from the appropriate > GITS_BASER.ENTRYSIZE field. That ID register field specifies the > number of bytes per table entry minus one. However when we use > td->entry_sz we assume it to be the number of bytes per table entry > (for instance we calculate the number of entries in a page by > dividing the page size by the entry size). > > The effects of this bug are: > * we miscalculate the maximum number of entries in the table, > so our checks on guest index values are wrong (too lax) > * when looking up an entry in the second level of an indirect > table, we calculate an incorrect index into the L2 table. > Because we make the same incorrect calculation on both > reads and writes of the L2 table, the guest won't notice > unless it's unlucky enough to use an index value that > causes us to index off the end of the L2 table page and > cause guest memory corruption in whatever follows > > Signed-off-by: Peter Maydell <peter.mayd...@linaro.org> Reviewed-by: Alex Bennée <alex.ben...@linaro.org> -- Alex Bennée
