From: Max Filippov <jcmvbkbc@gmail.com>
To: qemu-devel@nongnu.org
Cc: Max Filippov <jcmvbkbc@gmail.com>, qemu-stable@nongnu.org
Subject: [PATCH] target/xtensa: fix OOB TLB entry access
Date: Fri, 15 Dec 2023 04:03:07 -0800 [thread overview]
Message-ID: <20231215120307.545381-1-jcmvbkbc@gmail.com> (raw)
r[id]tlb[01], [iw][id]tlb opcodes use TLB way index passed in a register
by the guest. The host uses 3 bits of the index for ITLB indexing and 4
bits for DTLB, but there's only 7 entries in the ITLB array and 10 in
the DTLB array, so a malicious guest may trigger out-of-bound access to
these arrays.
Change split_tlb_entry_spec return type to bool to indicate whether TLB
way passed to it is valid. Change get_tlb_entry to return NULL in case
invalid TLB way is requested. Add assertion to xtensa_tlb_get_entry that
requested TLB way and entry indices are valid. Add checks to the
[rwi]tlb helpers that requested TLB way is valid and return 0 or do
nothing when it's not.
Cc: qemu-stable@nongnu.org
Fixes: b67ea0cd7441 ("target-xtensa: implement memory protection options")
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
---
target/xtensa/mmu_helper.c | 47 ++++++++++++++++++++++++++++----------
1 file changed, 35 insertions(+), 12 deletions(-)
diff --git a/target/xtensa/mmu_helper.c b/target/xtensa/mmu_helper.c
index 12552a33470e..2fda4e887cce 100644
--- a/target/xtensa/mmu_helper.c
+++ b/target/xtensa/mmu_helper.c
@@ -224,22 +224,31 @@ static void split_tlb_entry_spec_way(const CPUXtensaState *env, uint32_t v,
* Split TLB address into TLB way, entry index and VPN (with index).
* See ISA, 4.6.5.5 - 4.6.5.8 for the TLB addressing format
*/
-static void split_tlb_entry_spec(CPUXtensaState *env, uint32_t v, bool dtlb,
- uint32_t *vpn, uint32_t *wi, uint32_t *ei)
+static bool split_tlb_entry_spec(CPUXtensaState *env, uint32_t v, bool dtlb,
+ uint32_t *vpn, uint32_t *wi, uint32_t *ei)
{
if (xtensa_option_enabled(env->config, XTENSA_OPTION_MMU)) {
*wi = v & (dtlb ? 0xf : 0x7);
- split_tlb_entry_spec_way(env, v, dtlb, vpn, *wi, ei);
+ if (*wi < (dtlb ? env->config->dtlb.nways : env->config->itlb.nways)) {
+ split_tlb_entry_spec_way(env, v, dtlb, vpn, *wi, ei);
+ return true;
+ } else {
+ return false;
+ }
} else {
*vpn = v & REGION_PAGE_MASK;
*wi = 0;
*ei = (v >> 29) & 0x7;
+ return true;
}
}
static xtensa_tlb_entry *xtensa_tlb_get_entry(CPUXtensaState *env, bool dtlb,
unsigned wi, unsigned ei)
{
+ const xtensa_tlb *tlb = dtlb ? &env->config->dtlb : &env->config->itlb;
+
+ assert(wi < tlb->nways && ei < tlb->way_size[wi]);
return dtlb ?
env->dtlb[wi] + ei :
env->itlb[wi] + ei;
@@ -252,11 +261,14 @@ static xtensa_tlb_entry *get_tlb_entry(CPUXtensaState *env,
uint32_t wi;
uint32_t ei;
- split_tlb_entry_spec(env, v, dtlb, &vpn, &wi, &ei);
- if (pwi) {
- *pwi = wi;
+ if (split_tlb_entry_spec(env, v, dtlb, &vpn, &wi, &ei)) {
+ if (pwi) {
+ *pwi = wi;
+ }
+ return xtensa_tlb_get_entry(env, dtlb, wi, ei);
+ } else {
+ return NULL;
}
- return xtensa_tlb_get_entry(env, dtlb, wi, ei);
}
static void xtensa_tlb_set_entry_mmu(const CPUXtensaState *env,
@@ -482,7 +494,12 @@ uint32_t HELPER(rtlb0)(CPUXtensaState *env, uint32_t v, uint32_t dtlb)
if (xtensa_option_enabled(env->config, XTENSA_OPTION_MMU)) {
uint32_t wi;
const xtensa_tlb_entry *entry = get_tlb_entry(env, v, dtlb, &wi);
- return (entry->vaddr & get_vpn_mask(env, dtlb, wi)) | entry->asid;
+
+ if (entry) {
+ return (entry->vaddr & get_vpn_mask(env, dtlb, wi)) | entry->asid;
+ } else {
+ return 0;
+ }
} else {
return v & REGION_PAGE_MASK;
}
@@ -491,7 +508,12 @@ uint32_t HELPER(rtlb0)(CPUXtensaState *env, uint32_t v, uint32_t dtlb)
uint32_t HELPER(rtlb1)(CPUXtensaState *env, uint32_t v, uint32_t dtlb)
{
const xtensa_tlb_entry *entry = get_tlb_entry(env, v, dtlb, NULL);
- return entry->paddr | entry->attr;
+
+ if (entry) {
+ return entry->paddr | entry->attr;
+ } else {
+ return 0;
+ }
}
void HELPER(itlb)(CPUXtensaState *env, uint32_t v, uint32_t dtlb)
@@ -499,7 +521,7 @@ void HELPER(itlb)(CPUXtensaState *env, uint32_t v, uint32_t dtlb)
if (xtensa_option_enabled(env->config, XTENSA_OPTION_MMU)) {
uint32_t wi;
xtensa_tlb_entry *entry = get_tlb_entry(env, v, dtlb, &wi);
- if (entry->variable && entry->asid) {
+ if (entry && entry->variable && entry->asid) {
tlb_flush_page(env_cpu(env), entry->vaddr);
entry->asid = 0;
}
@@ -537,8 +559,9 @@ void HELPER(wtlb)(CPUXtensaState *env, uint32_t p, uint32_t v, uint32_t dtlb)
uint32_t vpn;
uint32_t wi;
uint32_t ei;
- split_tlb_entry_spec(env, v, dtlb, &vpn, &wi, &ei);
- xtensa_tlb_set_entry(env, dtlb, wi, ei, vpn, p);
+ if (split_tlb_entry_spec(env, v, dtlb, &vpn, &wi, &ei)) {
+ xtensa_tlb_set_entry(env, dtlb, wi, ei, vpn, p);
+ }
}
/*!
--
2.39.2
next reply other threads:[~2023-12-15 12:05 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-15 12:03 Max Filippov [this message]
2023-12-18 14:58 ` [PATCH] target/xtensa: fix OOB TLB entry access Peter Maydell
2024-01-18 8:01 ` Michael Tokarev
2024-01-19 16:44 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231215120307.545381-1-jcmvbkbc@gmail.com \
--to=jcmvbkbc@gmail.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.