diff options
| author | Nicolas Pitre <nico@fluxnic.net> | 2022-06-15 17:11:51 -0400 |
|---|---|---|
| committer | Alistair Francis <alistair@alistair23.me> | 2022-07-03 10:03:20 +1000 |
| commit | 2e983399186b9ff85521dd35082779a133cd9b2b (patch) | |
| tree | 5a61dba233b47e7c3927fbbd56331f659d507468 /.gitpublish | |
| parent | a9814e3e08d2aacbd9018c36c77c2fb652537848 (diff) | |
target/riscv/pmp: guard against PMP ranges with a negative size
For a TOR entry to match, the stard address must be lower than the end
address. Normally this is always the case, but correct code might still
run into the following scenario:
Initial state:
pmpaddr3 = 0x2000 pmp3cfg = OFF
pmpaddr4 = 0x3000 pmp4cfg = TOR
Execution:
1. write 0x40ff to pmpaddr3
2. write 0x32ff to pmpaddr4
3. set pmp3cfg to NAPOT with a read-modify-write on pmpcfg0
4. set pmp4cfg to NAPOT with a read-modify-write on pmpcfg1
When (2) is emulated, a call to pmp_update_rule() creates a negative
range for pmp4 as pmp4cfg is still set to TOR. And when (3) is emulated,
a call to tlb_flush() is performed, causing pmp_get_tlb_size() to return
a very creatively large TLB size for pmp4. This, in turn, may result in
accesses to non-existent/unitialized memory regions and a fault, so that
(4) ends up never being executed.
This is in m-mode with MPRV unset, meaning that unlocked PMP entries
should have no effect. Therefore such a behavior based on PMP content
is very unexpected.
Make sure no negative PMP range can be created, whether explicitly by
the emulated code or implicitly like the above.
Signed-off-by: Nicolas Pitre <nico@fluxnic.net>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <3oq0sqs1-67o0-145-5n1s-453o118804q@syhkavp.arg>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Diffstat (limited to '.gitpublish')
0 files changed, 0 insertions, 0 deletions