Re: [PATCH] target/xtensa: fix OOB TLB entry access

qemu-stable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] target/xtensa: fix OOB TLB entry access

From:	Peter Maydell
Subject:	Re: [PATCH] target/xtensa: fix OOB TLB entry access
Date:	Mon, 18 Dec 2023 14:58:45 +0000

On Fri, 15 Dec 2023 at 12:05, Max Filippov <jcmvbkbc@gmail.com> wrote:
>
> r[id]tlb[01], [iw][id]tlb opcodes use TLB way index passed in a register
> by the guest. The host uses 3 bits of the index for ITLB indexing and 4
> bits for DTLB, but there's only 7 entries in the ITLB array and 10 in
> the DTLB array, so a malicious guest may trigger out-of-bound access to
> these arrays.
>
> Change split_tlb_entry_spec return type to bool to indicate whether TLB
> way passed to it is valid. Change get_tlb_entry to return NULL in case
> invalid TLB way is requested. Add assertion to xtensa_tlb_get_entry that
> requested TLB way and entry indices are valid. Add checks to the
> [rwi]tlb helpers that requested TLB way is valid and return 0 or do
> nothing when it's not.
>
> Cc: qemu-stable@nongnu.org
> Fixes: b67ea0cd7441 ("target-xtensa: implement memory protection options")
> Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
> ---

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

thanks
-- PMM

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] target/xtensa: fix OOB TLB entry access, Max Filippov, 2023/12/15
- Re: [PATCH] target/xtensa: fix OOB TLB entry access, Peter Maydell <=

Prev by Date: [PATCH] target/i386: Fix physical address truncation when PAE is enabled
Next by Date: [PATCH] target/riscv/kvm: do not use non-portable strerrorname_np()
Previous by thread: [PATCH] target/xtensa: fix OOB TLB entry access
Next by thread: [PATCH] target/i386: Fix physical address truncation when PAE is enabled
Index(es):
- Date
- Thread