qemu-stable
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] target/xtensa: fix OOB TLB entry access


From: Peter Maydell
Subject: Re: [PATCH] target/xtensa: fix OOB TLB entry access
Date: Fri, 19 Jan 2024 16:44:28 +0000

On Thu, 18 Jan 2024 at 08:01, Michael Tokarev <mjt@tls.msk.ru> wrote:
>
> 15.12.2023 15:03, Max Filippov :
> > r[id]tlb[01], [iw][id]tlb opcodes use TLB way index passed in a register
> > by the guest. The host uses 3 bits of the index for ITLB indexing and 4
> > bits for DTLB, but there's only 7 entries in the ITLB array and 10 in
> > the DTLB array, so a malicious guest may trigger out-of-bound access to
> > these arrays.
> >
> > Change split_tlb_entry_spec return type to bool to indicate whether TLB
> > way passed to it is valid. Change get_tlb_entry to return NULL in case
> > invalid TLB way is requested. Add assertion to xtensa_tlb_get_entry that
> > requested TLB way and entry indices are valid. Add checks to the
> > [rwi]tlb helpers that requested TLB way is valid and return 0 or do
> > nothing when it's not.
> >
> > Cc: qemu-stable@nongnu.org
> > Fixes: b67ea0cd7441 ("target-xtensa: implement memory protection options")
> > Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
>
> Ping?
> Can we get this to master before Jan-27? :)

I can take it via target-arm.next, I guess.

-- PMM



reply via email to

[Prev in Thread] Current Thread [Next in Thread]