[Qemu-devel] [Bug 1825311] [NEW] mips_cpu_handle_mmu_fault renders all accessed pages executable

[Qemu-devel] [Bug 1825311] [NEW] mips_cpu_handle_mmu_fault renders all accessed pages executable

[Jakub Jermar]

Public bug reported:

On MIPS, data accesses to pages mapped in the TLB result in
mips_cpu_handle_mmu_fault() marking the page unconditionally executable,
even if the TLB entry has the XI bit set. Later on, when there is an
attempt to execute this page, no exception is generated, even though
TLBXI is expected.

** Affects: qemu
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1825311

Title:
  mips_cpu_handle_mmu_fault renders all accessed pages executable

Status in QEMU:
  New

Bug description:
  On MIPS, data accesses to pages mapped in the TLB result in
  mips_cpu_handle_mmu_fault() marking the page unconditionally
  executable, even if the TLB entry has the XI bit set. Later on, when
  there is an attempt to execute this page, no exception is generated,
  even though TLBXI is expected.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1825311/+subscriptions

[Qemu-devel] [Bug 1825311] Re: mips_cpu_handle_mmu_fault renders all accessed pages executable

[Philippe Mathieu-Daudé]

** Tags added: mips

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1825311

Title:
  mips_cpu_handle_mmu_fault renders all accessed pages executable

Status in QEMU:
  New

Bug description:
  On MIPS, data accesses to pages mapped in the TLB result in
  mips_cpu_handle_mmu_fault() marking the page unconditionally
  executable, even if the TLB entry has the XI bit set. Later on, when
  there is an attempt to execute this page, no exception is generated,
  even though TLBXI is expected.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1825311/+subscriptions

[Qemu-devel] [Bug 1825311] Re: mips_cpu_handle_mmu_fault renders all accessed pages executable

[Jakub Jermar]

I am attaching a reproducer image and script.

Unpatched execution ends like this:

...
TAP TEST START
1..2
not ok 1 NonExecutable::ElfDataIsNotExecutable
# Assertion failed /home/jermar/Kernkonzept/software/l4/pkg/l4re-core/test/moe/test_nx.cc:103
# Expected: -(L4_EIPC_LO + l4_ipc_error(tag, l4_utcb())) >= 0
# Actual: -2003 (Receive timeout)
# There was no IPC error.
# Assertion failed /home/jermar/Kernkonzept/software/l4/pkg/l4re-core/test/moe/test_nx.cc:125
# Expected equality of these values:
#   pfa
#     Which is: 360
#   (l4_addr_t)execute_data
#     Which is: 17633344
# The page fault occured at the expected location.
not ok 2 NonExecutable::StackIsNotExecutable
# Assertion failed /home/jermar/Kernkonzept/software/l4/pkg/l4re-core/test/moe/test_nx.cc:103
# Expected: -(L4_EIPC_LO + l4_ipc_error(tag, l4_utcb())) >= 0
# Actual: -2003 (Receive timeout)
# There was no IPC error.
# Assertion failed /home/jermar/Kernkonzept/software/l4/pkg/l4re-core/test/moe/test_nx.cc:144
# Expected equality of these values:
#   pfa
#     Which is: 4358144
#   stack_func
#     Which is: 4276000
# The page fault occured at the expected location.
TAP TEST FINISHED


With the proposed patch applied, the execution should end with something
like this:

...
TAP TEST START
1..2
ok 1 NonExecutable::ElfDataIsNotExecutable
ok 2 NonExecutable::StackIsNotExecutable
TAP TEST FINISHED


** Attachment added: "Image and script for reproducing this bug."
   https://bugs.launchpad.net/qemu/+bug/1825311/+attachment/5258264/+files/reproducer.tar.xz

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1825311

Title:
  mips_cpu_handle_mmu_fault renders all accessed pages executable

Status in QEMU:
  New

Bug description:
  On MIPS, data accesses to pages mapped in the TLB result in
  mips_cpu_handle_mmu_fault() marking the page unconditionally
  executable, even if the TLB entry has the XI bit set. Later on, when
  there is an attempt to execute this page, no exception is generated,
  even though TLBXI is expected.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1825311/+subscriptions

[Qemu-devel] [Bug 1825311] Re: mips_cpu_handle_mmu_fault renders all accessed pages executable

[Philippe Mathieu-Daudé]

** Changed in: qemu
       Status: New => Fix Committed

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1825311

Title:
  mips_cpu_handle_mmu_fault renders all accessed pages executable

Status in QEMU:
  Fix Committed

Bug description:
  On MIPS, data accesses to pages mapped in the TLB result in
  mips_cpu_handle_mmu_fault() marking the page unconditionally
  executable, even if the TLB entry has the XI bit set. Later on, when
  there is an attempt to execute this page, no exception is generated,
  even though TLBXI is expected.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1825311/+subscriptions

[Qemu-devel] [Bug 1825311] Re: mips_cpu_handle_mmu_fault renders all accessed pages executable

[Philippe Mathieu-Daudé]

Patch posted on the list:
https://lists.gnu.org/archive/html/qemu-devel/2019-04/msg03711.html

** Changed in: qemu
       Status: Fix Committed => In Progress

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1825311

Title:
  mips_cpu_handle_mmu_fault renders all accessed pages executable

Status in QEMU:
  In Progress

Bug description:
  On MIPS, data accesses to pages mapped in the TLB result in
  mips_cpu_handle_mmu_fault() marking the page unconditionally
  executable, even if the TLB entry has the XI bit set. Later on, when
  there is an attempt to execute this page, no exception is generated,
  even though TLBXI is expected.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1825311/+subscriptions

[Qemu-devel] [Bug 1825311] Re: mips_cpu_handle_mmu_fault renders all accessed pages executable

[Jakub Jermar]

Also attaching the 64-bit version of the reproducer.

** Attachment added: "64-bit version of the reproducer"
   https://bugs.launchpad.net/qemu/+bug/1825311/+attachment/5264428/+files/reproducer64.tar.xz

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1825311

Title:
  mips_cpu_handle_mmu_fault renders all accessed pages executable

Status in QEMU:
  In Progress

Bug description:
  On MIPS, data accesses to pages mapped in the TLB result in
  mips_cpu_handle_mmu_fault() marking the page unconditionally
  executable, even if the TLB entry has the XI bit set. Later on, when
  there is an attempt to execute this page, no exception is generated,
  even though TLBXI is expected.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1825311/+subscriptions

[Qemu-devel] [Bug 1825311] Re: mips_cpu_handle_mmu_fault renders all accessed pages executable

[Alex Bennée]

** Tags added: testcase

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1825311

Title:
  mips_cpu_handle_mmu_fault renders all accessed pages executable

Status in QEMU:
  In Progress

Bug description:
  On MIPS, data accesses to pages mapped in the TLB result in
  mips_cpu_handle_mmu_fault() marking the page unconditionally
  executable, even if the TLB entry has the XI bit set. Later on, when
  there is an attempt to execute this page, no exception is generated,
  even though TLBXI is expected.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1825311/+subscriptions

[Qemu-devel] [Bug 1825311] Re: mips_cpu_handle_mmu_fault renders all accessed pages executable

[Peter Maydell]

This bug should be fixed by commit 7353113fa482e697a77 now in QEMU
master; it will be in the 4.1 release.


** Changed in: qemu
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1825311

Title:
  mips_cpu_handle_mmu_fault renders all accessed pages executable

Status in QEMU:
  Fix Committed

Bug description:
  On MIPS, data accesses to pages mapped in the TLB result in
  mips_cpu_handle_mmu_fault() marking the page unconditionally
  executable, even if the TLB entry has the XI bit set. Later on, when
  there is an attempt to execute this page, no exception is generated,
  even though TLBXI is expected.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1825311/+subscriptions

[Qemu-devel] [Bug 1825311] Re: mips_cpu_handle_mmu_fault renders all accessed pages executable

[Thomas Huth]

** Changed in: qemu
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1825311

Title:
  mips_cpu_handle_mmu_fault renders all accessed pages executable

Status in QEMU:
  Fix Released

Bug description:
  On MIPS, data accesses to pages mapped in the TLB result in
  mips_cpu_handle_mmu_fault() marking the page unconditionally
  executable, even if the TLB entry has the XI bit set. Later on, when
  there is an attempt to execute this page, no exception is generated,
  even though TLBXI is expected.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1825311/+subscriptions