diff options
| author | Nicolas Pitre <nico@fluxnic.net> | 2022-06-15 17:11:51 -0400 |
|---|---|---|
| committer | Alistair Francis <alistair@alistair23.me> | 2022-07-03 10:03:20 +1000 |
| commit | 2e983399186b9ff85521dd35082779a133cd9b2b (patch) | |
| tree | 5a61dba233b47e7c3927fbbd56331f659d507468 /scripts/qapi/common.py | |
| parent | a9814e3e08d2aacbd9018c36c77c2fb652537848 (diff) | |
| download | focaccia-qemu-2e983399186b9ff85521dd35082779a133cd9b2b.tar.gz focaccia-qemu-2e983399186b9ff85521dd35082779a133cd9b2b.zip | |
target/riscv/pmp: guard against PMP ranges with a negative size
For a TOR entry to match, the stard address must be lower than the end address. Normally this is always the case, but correct code might still run into the following scenario: Initial state: pmpaddr3 = 0x2000 pmp3cfg = OFF pmpaddr4 = 0x3000 pmp4cfg = TOR Execution: 1. write 0x40ff to pmpaddr3 2. write 0x32ff to pmpaddr4 3. set pmp3cfg to NAPOT with a read-modify-write on pmpcfg0 4. set pmp4cfg to NAPOT with a read-modify-write on pmpcfg1 When (2) is emulated, a call to pmp_update_rule() creates a negative range for pmp4 as pmp4cfg is still set to TOR. And when (3) is emulated, a call to tlb_flush() is performed, causing pmp_get_tlb_size() to return a very creatively large TLB size for pmp4. This, in turn, may result in accesses to non-existent/unitialized memory regions and a fault, so that (4) ends up never being executed. This is in m-mode with MPRV unset, meaning that unlocked PMP entries should have no effect. Therefore such a behavior based on PMP content is very unexpected. Make sure no negative PMP range can be created, whether explicitly by the emulated code or implicitly like the above. Signed-off-by: Nicolas Pitre <nico@fluxnic.net> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-Id: <3oq0sqs1-67o0-145-5n1s-453o118804q@syhkavp.arg> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Diffstat (limited to 'scripts/qapi/common.py')
0 files changed, 0 insertions, 0 deletions