From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>, qemu-stable@nongnu.org
Subject: [Qemu-devel] [PATCH 36/43] target-arm/translate-a64: Fix wrong mmu_idx usage for LDT/STT
Date: Tue, 24 Feb 2015 15:48:11 -0600 [thread overview]
Message-ID: <1424814498-6993-37-git-send-email-mdroth@linux.vnet.ibm.com> (raw)
In-Reply-To: <1424814498-6993-1-git-send-email-mdroth@linux.vnet.ibm.com>
From: Peter Maydell <peter.maydell@linaro.org>
The LDT/STT (load/store unprivileged) instruction decode was using
the wrong MMU index value. This meant that instead of these insns
being "always access as if user-mode regardless of current privilege"
they were "always access as if kernel-mode regardless of current
privilege". This went unnoticed because AArch64 Linux doesn't use
these instructions.
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Greg Bellows <greg.bellows@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
---
I'm not counting this as a security issue because I'm assuming
nobody treats TCG guests as a security boundary (certainly I
would not recommend doing so...)
(cherry picked from commit 949013ce111eb64f8bc81cf9a9f1cefd6a1678c3)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
target-arm/translate-a64.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target-arm/translate-a64.c b/target-arm/translate-a64.c
index 80d2c07..97206aa 100644
--- a/target-arm/translate-a64.c
+++ b/target-arm/translate-a64.c
@@ -2107,7 +2107,7 @@ static void disas_ldst_reg_imm9(DisasContext *s, uint32_t insn)
}
} else {
TCGv_i64 tcg_rt = cpu_reg(s, rt);
- int memidx = is_unpriv ? 1 : get_mem_index(s);
+ int memidx = is_unpriv ? MMU_USER_IDX : get_mem_index(s);
if (is_store) {
do_gpr_st_memidx(s, tcg_rt, tcg_addr, size, memidx);
--
1.9.1
next prev parent reply other threads:[~2015-02-24 21:54 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-24 21:47 [Qemu-devel] Patch Round-up for stable 2.2.1, freeze on 2015-03-05 Michael Roth
2015-02-24 21:47 ` [Qemu-devel] [PATCH 01/43] block: Make essential BlockDriver objects public Michael Roth
2015-02-24 21:47 ` [Qemu-devel] [PATCH 02/43] block: Omit bdrv_find_format for essential drivers Michael Roth
2015-02-24 21:47 ` [Qemu-devel] [PATCH 03/43] block/vvfat: qcow driver may not be found Michael Roth
2015-02-24 21:47 ` [Qemu-devel] [PATCH 04/43] block/nfs: Add create_opts Michael Roth
2015-02-24 21:47 ` [Qemu-devel] [PATCH 05/43] block: Check create_opts before image creation Michael Roth
2015-02-24 21:47 ` [Qemu-devel] [PATCH 06/43] qemu-img: " Michael Roth
2015-02-24 21:47 ` [Qemu-devel] [PATCH 07/43] qemu-img: Check create_opts before image amendment Michael Roth
2015-02-24 21:47 ` [Qemu-devel] [PATCH 08/43] iotests: Only kill NBD server if it runs Michael Roth
2015-02-24 21:47 ` [Qemu-devel] [PATCH 09/43] iotests: Add test for unsupported image creation Michael Roth
2015-02-24 21:47 ` [Qemu-devel] [PATCH 10/43] qcow2: Prevent numerical overflow Michael Roth
2015-02-24 21:47 ` [Qemu-devel] [PATCH 11/43] qcow2: Flushing the caches in qcow2_close may fail Michael Roth
2015-02-24 21:47 ` [Qemu-devel] [PATCH 12/43] qcow2: Respect bdrv_truncate() error Michael Roth
2015-02-24 21:47 ` [Qemu-devel] [PATCH 13/43] block/raw-posix: Fix ret in raw_open_common() Michael Roth
2015-02-24 21:47 ` [Qemu-devel] [PATCH 14/43] block migration: fix return value Michael Roth
2015-02-24 21:47 ` [Qemu-devel] [PATCH 15/43] qcow2: Fix header extension size check Michael Roth
2015-02-24 21:47 ` [Qemu-devel] [PATCH 16/43] qcow2.py: Add required padding for header extensions Michael Roth
2015-02-24 21:47 ` [Qemu-devel] [PATCH 17/43] block: Don't probe for unknown backing file format Michael Roth
2015-02-24 21:47 ` [Qemu-devel] [PATCH 18/43] linuxboot: fix loading old kernels Michael Roth
2015-02-24 21:47 ` [Qemu-devel] [PATCH 19/43] audio: Don't free hw resources until after hw backend is stopped Michael Roth
2015-02-24 21:47 ` [Qemu-devel] [PATCH 20/43] target-xtensa: fix translation for opcodes crossing page boundary Michael Roth
2015-02-24 21:47 ` [Qemu-devel] [PATCH 21/43] target-xtensa: test cross-page opcode Michael Roth
2015-02-24 21:47 ` [Qemu-devel] [PATCH 22/43] migration/block: fix pending() return value Michael Roth
2015-02-24 21:47 ` [Qemu-devel] [PATCH 23/43] atomic: fix position of volatile qualifier Michael Roth
2015-02-24 21:47 ` [Qemu-devel] [PATCH 24/43] PPC: Fix crash on spapr_tce_table_finalize() Michael Roth
2015-02-24 21:48 ` [Qemu-devel] [PATCH 25/43] vl.c: fix regression when reading machine type from config file Michael Roth
2015-02-24 21:48 ` [Qemu-devel] [PATCH 26/43] serial: reset thri_pending on IER writes with THRI=0 Michael Roth
2015-02-24 21:48 ` [Qemu-devel] [PATCH 27/43] serial: refine serial_thr_ipending_needed Michael Roth
2015-02-24 21:48 ` [Qemu-devel] [PATCH 28/43] pckbd: set bits 2-3-6-7 of the output port by default Michael Roth
2015-02-24 21:48 ` [Qemu-devel] [PATCH 29/43] linux-user: Fix broken m68k signal handling on 64 bit hosts Michael Roth
2015-02-25 8:39 ` Laurent Vivier
2015-02-25 11:28 ` Peter Maydell
2015-02-25 11:58 ` Laurent Vivier
2015-02-25 12:14 ` Peter Maydell
2015-02-24 21:48 ` [Qemu-devel] [PATCH 30/43] scsi: fix cancellation when I/O was completed but DMA was not Michael Roth
2015-02-24 21:48 ` [Qemu-devel] [PATCH 31/43] target-i386: fix movntsd on big-endian hosts Michael Roth
2015-02-24 21:48 ` [Qemu-devel] [PATCH 32/43] vt82c686: avoid out-of-bounds read Michael Roth
2015-02-24 21:48 ` [Qemu-devel] [PATCH 33/43] virtio: fix feature bit checks Michael Roth
2015-02-24 21:48 ` [Qemu-devel] [PATCH 34/43] sb16: fix interrupt acknowledgement Michael Roth
2015-02-24 21:48 ` [Qemu-devel] [PATCH 35/43] hw/input/hid.c Fix capslock hid code Michael Roth
2015-02-24 21:48 ` Michael Roth [this message]
2015-02-24 21:48 ` [Qemu-devel] [PATCH 37/43] vfio-pci: Fix missing unparent of dynamically allocated MemoryRegion Michael Roth
2015-02-24 21:48 ` [Qemu-devel] [PATCH 38/43] qemu-thread: fix qemu_event without futexes Michael Roth
2015-02-24 21:48 ` [Qemu-devel] [PATCH 39/43] libcacard: stop linking against every single 3rd party library Michael Roth
2015-02-24 21:48 ` [Qemu-devel] [PATCH 40/43] fix mc146818rtc wrong subsection name to avoid vmstate_subsection_load() fail Michael Roth
2015-02-24 21:48 ` [Qemu-devel] [PATCH 41/43] block/iscsi: fix uninitialized variable Michael Roth
2015-02-24 21:48 ` [Qemu-devel] [PATCH 42/43] qtest: Fix deadloop by running main loop AIO context's timers Michael Roth
2015-02-24 21:48 ` [Qemu-devel] [PATCH 43/43] exec: change default exception_index value for migration to -1 Michael Roth
2015-02-25 2:51 ` [Qemu-devel] [Qemu-stable] Patch Round-up for stable 2.2.1, freeze on 2015-03-05 Gonglei (Arei)
2015-02-25 9:33 ` [Qemu-devel] " Leon Alrae
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1424814498-6993-37-git-send-email-mdroth@linux.vnet.ibm.com \
--to=mdroth@linux.vnet.ibm.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).