Re: [PATCH] target/xtensa: fix OOB TLB entry access

qemu-stable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] target/xtensa: fix OOB TLB entry access

From:	Michael Tokarev
Subject:	Re: [PATCH] target/xtensa: fix OOB TLB entry access
Date:	Thu, 18 Jan 2024 11:01:22 +0300
User-agent:	Mozilla Thunderbird

15.12.2023 15:03, Max Filippov :

r[id]tlb[01], [iw][id]tlb opcodes use TLB way index passed in a register
by the guest. The host uses 3 bits of the index for ITLB indexing and 4
bits for DTLB, but there's only 7 entries in the ITLB array and 10 in
the DTLB array, so a malicious guest may trigger out-of-bound access to
these arrays.

Change split_tlb_entry_spec return type to bool to indicate whether TLB
way passed to it is valid. Change get_tlb_entry to return NULL in case
invalid TLB way is requested. Add assertion to xtensa_tlb_get_entry that
requested TLB way and entry indices are valid. Add checks to the
[rwi]tlb helpers that requested TLB way is valid and return 0 or do
nothing when it's not.

Cc: qemu-stable@nongnu.org
Fixes: b67ea0cd7441 ("target-xtensa: implement memory protection options")
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>


Ping?
Can we get this to master before Jan-27? :)

Thanks,

/mjt

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH] target/xtensa: fix OOB TLB entry access, Michael Tokarev <=
- Re: [PATCH] target/xtensa: fix OOB TLB entry access, Peter Maydell, 2024/01/19

Prev by Date: [Stable-8.2.1 38/38] target/hppa: Update SeaBIOS-hppa to version 15
Next by Date: Re: [PATCH-for-8.2 v2] backends/cryptodev: Do not ignore throttle/backends Errors
Previous by thread: [Stable-8.2.1 00/38] Patch Round-up for stable 8.2.1, freeze on 2024-01-27
Next by thread: Re: [PATCH] target/xtensa: fix OOB TLB entry access
Index(es):
- Date
- Thread