Google Git
Sign in
fuchsia / third_party / qemu / ecc23c6e9503380c276a303754b6324fc6d4c054
commitecc23c6e9503380c276a303754b6324fc6d4c054[log] [tgz]
authorMax Filippov <jcmvbkbc@gmail.com>Fri Dec 15 04:03:07 2023 -0800
committerMichael Tokarev <mjt@tls.msk.ru>Sat Jan 27 18:05:30 2024 +0300
treed59809806285c747d7c26f511ede193f167e0246
parentfa020ef10b1448ad4bb998dbdc5917e942363e30 [diff]
target/xtensa: fix OOB TLB entry access

r[id]tlb[01], [iw][id]tlb opcodes use TLB way index passed in a register
by the guest. The host uses 3 bits of the index for ITLB indexing and 4
bits for DTLB, but there's only 7 entries in the ITLB array and 10 in
the DTLB array, so a malicious guest may trigger out-of-bound access to
these arrays.

Change split_tlb_entry_spec return type to bool to indicate whether TLB
way passed to it is valid. Change get_tlb_entry to return NULL in case
invalid TLB way is requested. Add assertion to xtensa_tlb_get_entry that
requested TLB way and entry indices are valid. Add checks to the
[rwi]tlb helpers that requested TLB way is valid and return 0 or do
nothing when it's not.

Cc: qemu-stable@nongnu.org
Fixes: b67ea0cd7441 ("target-xtensa: implement memory protection options")
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20231215120307.545381-1-jcmvbkbc@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 604927e357c2b292c70826e4ce42574ad126ef32)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
1 file changed
tree: d59809806285c747d7c26f511ede193f167e0246
  1. .github/
  2. .gitlab/
  3. .gitlab-ci.d/
  4. accel/
  5. audio/
  6. authz/
  7. backends/
  8. block/
  9. bsd-user/
  10. chardev/
  11. common-user/
  12. configs/
  13. contrib/
  14. crypto/
  15. disas/
  16. docs/
  17. dump/
  18. ebpf/
  19. fpu/
  20. fsdev/
  21. gdb-xml/
  22. gdbstub/
  23. hw/
  24. include/
  25. io/
  26. libdecnumber/
  27. linux-headers/
  28. linux-user/
  29. migration/
  30. monitor/
  31. nbd/
  32. net/
  33. pc-bios/
  34. plugins/
  35. po/
  36. python/
  37. qapi/
  38. qga/
  39. qobject/
  40. qom/
  41. replay/
  42. roms/
  43. scripts/
  44. scsi/
  45. semihosting/
  46. softmmu/
  47. storage-daemon/
  48. stubs/
  49. subprojects/
  50. target/
  51. tcg/
  52. tests/
  53. tools/
  54. trace/
  55. ui/
  56. util/
  57. dtc
  58. meson
  59. .cirrus.yml
  60. .dir-locals.el
  61. .editorconfig
  62. .exrc
  63. .gdbinit
  64. .gitattributes
  65. .gitignore
  66. .gitlab-ci.yml
  67. .gitmodules
  68. .gitpublish
  69. .mailmap
  70. .patchew.yml
  71. .readthedocs.yml
  72. .travis.yml
  73. block.c
  74. blockdev-nbd.c
  75. blockdev.c
  76. blockjob.c
  77. configure
  78. COPYING
  79. COPYING.LIB
  80. cpu.c
  81. cpus-common.c
  82. disas.c
  83. event-loop-base.c
  84. gitdm.config
  85. hmp-commands-info.hx
  86. hmp-commands.hx
  87. iothread.c
  88. job-qmp.c
  89. job.c
  90. Kconfig
  91. Kconfig.host
  92. LICENSE
  93. MAINTAINERS
  94. Makefile
  95. memory_ldst.c.inc
  96. meson.build
  97. meson_options.txt
  98. module-common.c
  99. os-posix.c
  100. os-win32.c
  101. page-vary-common.c
  102. page-vary.c
  103. qemu-bridge-helper.c
  104. qemu-edid.c
  105. qemu-img-cmds.hx
  106. qemu-img.c
  107. qemu-io-cmds.c
  108. qemu-io.c
  109. qemu-keymap.c
  110. qemu-nbd.c
  111. qemu-options.hx
  112. qemu.nsi
  113. qemu.sasl
  114. README.rst
  115. replication.c
  116. trace-events
  117. VERSION
  118. version.rc