[PULL 05/19] target/riscv/pmp: guard against PMP ranges with a negative size

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Alistair Francis <alistair.francis@opensource.wdc.com>
To: qemu-devel@nongnu.org
Cc: alistair23@gmail.com, Nicolas Pitre <nico@fluxnic.net>,
	Alistair Francis <alistair.francis@wdc.com>
Subject: [PULL 05/19] target/riscv/pmp: guard against PMP ranges with a negative size
Date: Sun,  3 Jul 2022 10:09:24 +1000	[thread overview]
Message-ID: <20220703000938.437765-6-alistair.francis@opensource.wdc.com> (raw)
In-Reply-To: <20220703000938.437765-1-alistair.francis@opensource.wdc.com>

From: Nicolas Pitre <nico@fluxnic.net>

For a TOR entry to match, the stard address must be lower than the end
address. Normally this is always the case, but correct code might still
run into the following scenario:

Initial state:

	pmpaddr3 = 0x2000	pmp3cfg = OFF
	pmpaddr4 = 0x3000	pmp4cfg = TOR

Execution:

	1. write 0x40ff to pmpaddr3
	2. write 0x32ff to pmpaddr4
	3. set pmp3cfg to NAPOT with a read-modify-write on pmpcfg0
	4. set pmp4cfg to NAPOT with a read-modify-write on pmpcfg1

When (2) is emulated, a call to pmp_update_rule() creates a negative
range for pmp4 as pmp4cfg is still set to TOR. And when (3) is emulated,
a call to tlb_flush() is performed, causing pmp_get_tlb_size() to return
a very creatively large TLB size for pmp4. This, in turn, may result in
accesses to non-existent/unitialized memory regions and a fault, so that
(4) ends up never being executed.

This is in m-mode with MPRV unset, meaning that unlocked PMP entries
should have no effect. Therefore such a behavior based on PMP content
is very unexpected.

Make sure no negative PMP range can be created, whether explicitly by
the emulated code or implicitly like the above.

Signed-off-by: Nicolas Pitre <nico@fluxnic.net>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <3oq0sqs1-67o0-145-5n1s-453o118804q@syhkavp.arg>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
 target/riscv/pmp.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/target/riscv/pmp.c b/target/riscv/pmp.c
index 151da3fa08..ea2b67d947 100644
--- a/target/riscv/pmp.c
+++ b/target/riscv/pmp.c
@@ -167,6 +167,9 @@ void pmp_update_rule_addr(CPURISCVState *env, uint32_t pmp_index)
     case PMP_AMATCH_TOR:
         sa = prev_addr << 2; /* shift up from [xx:0] to [xx+2:2] */
         ea = (this_addr << 2) - 1u;
+        if (sa > ea) {
+            sa = ea = 0u;
+        }
         break;

     case PMP_AMATCH_NA4:
-- 
2.36.1

next prev parent reply	other threads:[~2022-07-03  0:14 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-07-03  0:09 [PULL 00/19] riscv-to-apply queue Alistair Francis
2022-07-03  0:09 ` [PULL 01/19] target/riscv: Remove condition guarding register zero for auipc and lui Alistair Francis
2022-07-03  0:09 ` [PULL 02/19] target/riscv: Set env->bins in gen_exception_illegal Alistair Francis
2022-07-03  0:09 ` [PULL 03/19] target/riscv: Remove generate_exception_mtval Alistair Francis
2022-07-03  0:09 ` [PULL 04/19] target/riscv: Minimize the calls to decode_save_opc Alistair Francis
2022-07-03  0:09 ` Alistair Francis [this message]
2022-07-03  0:09 ` [PULL 06/19] target/riscv: Fix PMU CSR predicate function Alistair Francis
2022-07-03  0:12 ` [PULL 00/19] riscv-to-apply queue Alistair Francis

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:151da3fa0 dfblob:ea2b67d94 )
 OR (
bs:"[PULL 05/19] target/riscv/pmp: guard against PMP ranges with a negative size" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220703000938.437765-6-alistair.francis@opensource.wdc.com \
    --to=alistair.francis@opensource.wdc.com \
    --cc=alistair.francis@wdc.com \
    --cc=alistair23@gmail.com \
    --cc=nico@fluxnic.net \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).