[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 10/10] target/arm: Always set FAR to a known unknown
From: |
Peter Maydell |
Subject: |
[Qemu-devel] [PULL 10/10] target/arm: Always set FAR to a known unknown value for debug exceptions |
Date: |
Fri, 23 Mar 2018 18:49:58 +0000 |
For debug exceptions due to breakpoints or the BKPT instruction which
are taken to AArch32, the Fault Address Register is architecturally
UNKNOWN. We were using that as license to simply not set
env->exception.vaddress, but this isn't correct, because it will
expose to the guest whatever old value was in that field when
arm_cpu_do_interrupt_aarch32() writes it to the guest IFSR. That old
value might be a FAR for a previous guest EL2 or secure exception, in
which case we shouldn't show it to an EL1 or non-secure exception
handler. It might also be a non-deterministic value, which is bad
for record-and-replay.
Clear env->exception.vaddress before taking breakpoint debug
exceptions, to avoid this minor information leak.
Signed-off-by: Peter Maydell <address@hidden>
Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
Message-id: address@hidden
---
target/arm/op_helper.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
index 8e1e521193..a266cc0116 100644
--- a/target/arm/op_helper.c
+++ b/target/arm/op_helper.c
@@ -490,6 +490,11 @@ void HELPER(exception_bkpt_insn)(CPUARMState *env,
uint32_t syndrome)
{
/* FSR will only be used if the debug target EL is AArch32. */
env->exception.fsr = arm_debug_exception_fsr(env);
+ /* FAR is UNKNOWN: clear vaddress to avoid potentially exposing
+ * values to the guest that it shouldn't be able to see at its
+ * exception/security level.
+ */
+ env->exception.vaddress = 0;
raise_exception(env, EXCP_BKPT, syndrome, arm_debug_target_el(env));
}
@@ -1353,7 +1358,11 @@ void arm_debug_excp_handler(CPUState *cs)
}
env->exception.fsr = arm_debug_exception_fsr(env);
- /* FAR is UNKNOWN, so doesn't need setting */
+ /* FAR is UNKNOWN: clear vaddress to avoid potentially exposing
+ * values to the guest that it shouldn't be able to see at its
+ * exception/security level.
+ */
+ env->exception.vaddress = 0;
raise_exception(env, EXCP_PREFETCH_ABORT,
syn_breakpoint(same_el),
arm_debug_target_el(env));
--
2.16.2
- [Qemu-devel] [PULL 00/10] target-arm queue, Peter Maydell, 2018/03/23
- [Qemu-devel] [PULL 02/10] sdhci: fix incorrect use of Error *, Peter Maydell, 2018/03/23
- [Qemu-devel] [PULL 03/10] hw/intc/arm_gicv3: Fix secure-GIC NS ICC_PMR and ICC_RPR accesses, Peter Maydell, 2018/03/23
- [Qemu-devel] [PULL 04/10] hw/arm/bcm2836: Use the Cortex-A7 instead of Cortex-A15, Peter Maydell, 2018/03/23
- [Qemu-devel] [PULL 05/10] i.MX: Support serial RS-232 break properly, Peter Maydell, 2018/03/23
- [Qemu-devel] [PULL 07/10] target/arm: Honour MDCR_EL2.TDE when routing exceptions due to BKPT/BRK, Peter Maydell, 2018/03/23
- [Qemu-devel] [PULL 01/10] arm/translate-a64: treat DISAS_UPDATE as variant of DISAS_EXIT, Peter Maydell, 2018/03/23
- [Qemu-devel] [PULL 10/10] target/arm: Always set FAR to a known unknown value for debug exceptions,
Peter Maydell <=
- [Qemu-devel] [PULL 08/10] target/arm: Factor out code to calculate FSR for debug exceptions, Peter Maydell, 2018/03/23
- [Qemu-devel] [PULL 06/10] mach-virt: Set VM's SMBIOS system version to mc->name, Peter Maydell, 2018/03/23
- [Qemu-devel] [PULL 09/10] target/arm: Set FSR for BKPT, BRK when raising exception, Peter Maydell, 2018/03/23
- Re: [Qemu-devel] [PULL 00/10] target-arm queue, no-reply, 2018/03/23
- Re: [Qemu-devel] [PULL 00/10] target-arm queue, Peter Maydell, 2018/03/25