diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2014-08-19 18:56:26 +0100 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2014-08-19 19:02:03 +0100 |
| commit | 4051e12c5df1c46b542b28ed43f1614a42245ecf (patch) | |
| tree | 06aee211a240ff8caa2712de853f62e6c1462c1e /target-arm/translate.c | |
| parent | 48eb3ae64b3e17151cf8f42af185e6f43baf707b (diff) | |
target-arm: Don't allow AArch32 to access RES0 CPSR bits
The CPSR has a new-in-v8 execution state bit (IL), and
also some state which has effects in AArch32 but appears
only in the SPSR format (SS) but is RES0 in the CPSR.
Add the IL bit to CPSR_EXEC, and enforce that guest direct
reads and writes to CPSR can't read or write the RES0
bits, so the guest can't get at the SS bit which we store
in uncached_cpsr. This includes not permitting exception
returns to copy reserved bits from an SPSR into CPSR.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Diffstat (limited to 'target-arm/translate.c')
| -rw-r--r-- | target-arm/translate.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/target-arm/translate.c b/target-arm/translate.c index 40121858d6..4cde3096d4 100644 --- a/target-arm/translate.c +++ b/target-arm/translate.c @@ -3908,9 +3908,10 @@ static uint32_t msr_mask(CPUARMState *env, DisasContext *s, int flags, int spsr) mask &= ~(CPSR_E | CPSR_GE); if (!arm_feature(env, ARM_FEATURE_THUMB2)) mask &= ~CPSR_IT; - /* Mask out execution state bits. */ - if (!spsr) - mask &= ~CPSR_EXEC; + /* Mask out execution state and reserved bits. */ + if (!spsr) { + mask &= ~(CPSR_EXEC | CPSR_RESERVED); + } /* Mask out privileged bits. */ if (IS_USER(s)) mask &= CPSR_USER; @@ -3954,7 +3955,7 @@ static void gen_exception_return(DisasContext *s, TCGv_i32 pc) TCGv_i32 tmp; store_reg(s, 15, pc); tmp = load_cpu_field(spsr); - gen_set_cpsr(tmp, 0xffffffff); + gen_set_cpsr(tmp, CPSR_ERET_MASK); tcg_temp_free_i32(tmp); s->is_jmp = DISAS_UPDATE; } @@ -3962,7 +3963,7 @@ static void gen_exception_return(DisasContext *s, TCGv_i32 pc) /* Generate a v6 exception return. Marks both values as dead. */ static void gen_rfe(DisasContext *s, TCGv_i32 pc, TCGv_i32 cpsr) { - gen_set_cpsr(cpsr, 0xffffffff); + gen_set_cpsr(cpsr, CPSR_ERET_MASK); tcg_temp_free_i32(cpsr); store_reg(s, 15, pc); s->is_jmp = DISAS_UPDATE; @@ -8836,7 +8837,7 @@ static void disas_arm_insn(CPUARMState * env, DisasContext *s) if ((insn & (1 << 22)) && !user) { /* Restore CPSR from SPSR. */ tmp = load_cpu_field(spsr); - gen_set_cpsr(tmp, 0xffffffff); + gen_set_cpsr(tmp, CPSR_ERET_MASK); tcg_temp_free_i32(tmp); s->is_jmp = DISAS_UPDATE; } |