diff options
| author | Max Filippov <jcmvbkbc@gmail.com> | 2023-12-15 04:03:07 -0800 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2024-01-26 11:30:47 +0000 |
| commit | 604927e357c2b292c70826e4ce42574ad126ef32 (patch) | |
| tree | 92e8d241a3de6eef75587a7ca001075fde4f2cf4 /hw/arm/virt.c | |
| parent | 5bab95dc74d43bbb28c6a96d24c810a664432057 (diff) | |
| download | focaccia-qemu-604927e357c2b292c70826e4ce42574ad126ef32.tar.gz focaccia-qemu-604927e357c2b292c70826e4ce42574ad126ef32.zip | |
target/xtensa: fix OOB TLB entry access
r[id]tlb[01], [iw][id]tlb opcodes use TLB way index passed in a register
by the guest. The host uses 3 bits of the index for ITLB indexing and 4
bits for DTLB, but there's only 7 entries in the ITLB array and 10 in
the DTLB array, so a malicious guest may trigger out-of-bound access to
these arrays.
Change split_tlb_entry_spec return type to bool to indicate whether TLB
way passed to it is valid. Change get_tlb_entry to return NULL in case
invalid TLB way is requested. Add assertion to xtensa_tlb_get_entry that
requested TLB way and entry indices are valid. Add checks to the
[rwi]tlb helpers that requested TLB way is valid and return 0 or do
nothing when it's not.
Cc: qemu-stable@nongnu.org
Fixes: b67ea0cd7441 ("target-xtensa: implement memory protection options")
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20231215120307.545381-1-jcmvbkbc@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hw/arm/virt.c')
0 files changed, 0 insertions, 0 deletions