]> git.ipfire.org Git - thirdparty/qemu.git/commit
projects / thirdparty / qemu.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d24dd10) | patch
target/xtensa: fix OOB TLB entry access
authorMax Filippov <jcmvbkbc@gmail.com>
Fri, 15 Dec 2023 12:03:07 +0000 (04:03 -0800)
committerMichael Tokarev <mjt@tls.msk.ru>
Sat, 27 Jan 2024 15:05:25 +0000 (18:05 +0300)
commitb86fa3a4f2daa78ae99240d1f49bfe362d65b687
tree54e323fd725ee08a03777a94bfe983d23adf6950tree
parentd24dd1014336d2aefd1e3a431c15b38279a46d40commit | diff
target/xtensa: fix OOB TLB entry access

r[id]tlb[01], [iw][id]tlb opcodes use TLB way index passed in a register
by the guest. The host uses 3 bits of the index for ITLB indexing and 4
bits for DTLB, but there's only 7 entries in the ITLB array and 10 in
the DTLB array, so a malicious guest may trigger out-of-bound access to
these arrays.

Change split_tlb_entry_spec return type to bool to indicate whether TLB
way passed to it is valid. Change get_tlb_entry to return NULL in case
invalid TLB way is requested. Add assertion to xtensa_tlb_get_entry that
requested TLB way and entry indices are valid. Add checks to the
[rwi]tlb helpers that requested TLB way is valid and return 0 or do
nothing when it's not.

Cc: qemu-stable@nongnu.org
Fixes: b67ea0cd7441 ("target-xtensa: implement memory protection options")
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20231215120307.545381-1-jcmvbkbc@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 604927e357c2b292c70826e4ce42574ad126ef32)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
target/xtensa/mmu_helper.c diff | blob | blame | history
Mirror of https://git.qemu.org/git/qemu.git