aboutsummaryrefslogtreecommitdiff
path: root/hw/pxa2xx_dma.c
diff options
context:
space:
mode:
authorMax Filippov <jcmvbkbc@gmail.com>2023-12-15 04:03:07 -0800
committerMichael Tokarev <mjt@tls.msk.ru>2024-01-27 18:05:30 +0300
commitecc23c6e9503380c276a303754b6324fc6d4c054 (patch)
treed59809806285c747d7c26f511ede193f167e0246 /hw/pxa2xx_dma.c
parentfa020ef10b1448ad4bb998dbdc5917e942363e30 (diff)
target/xtensa: fix OOB TLB entry access
r[id]tlb[01], [iw][id]tlb opcodes use TLB way index passed in a register by the guest. The host uses 3 bits of the index for ITLB indexing and 4 bits for DTLB, but there's only 7 entries in the ITLB array and 10 in the DTLB array, so a malicious guest may trigger out-of-bound access to these arrays. Change split_tlb_entry_spec return type to bool to indicate whether TLB way passed to it is valid. Change get_tlb_entry to return NULL in case invalid TLB way is requested. Add assertion to xtensa_tlb_get_entry that requested TLB way and entry indices are valid. Add checks to the [rwi]tlb helpers that requested TLB way is valid and return 0 or do nothing when it's not. Cc: qemu-stable@nongnu.org Fixes: b67ea0cd7441 ("target-xtensa: implement memory protection options") Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 20231215120307.545381-1-jcmvbkbc@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 604927e357c2b292c70826e4ce42574ad126ef32) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Diffstat (limited to 'hw/pxa2xx_dma.c')
0 files changed, 0 insertions, 0 deletions