From: Alistair Francis <alistair.francis@opensource.wdc.com>
To: qemu-devel@nongnu.org
Cc: alistair23@gmail.com, Nicolas Pitre <nico@fluxnic.net>,
Alistair Francis <alistair.francis@wdc.com>
Subject: [PULL v2 05/19] target/riscv/pmp: guard against PMP ranges with a negative size
Date: Sun, 3 Jul 2022 10:12:20 +1000 [thread overview]
Message-ID: <20220703001234.439716-6-alistair.francis@opensource.wdc.com> (raw)
In-Reply-To: <20220703001234.439716-1-alistair.francis@opensource.wdc.com>
From: Nicolas Pitre <nico@fluxnic.net>
For a TOR entry to match, the stard address must be lower than the end
address. Normally this is always the case, but correct code might still
run into the following scenario:
Initial state:
pmpaddr3 = 0x2000 pmp3cfg = OFF
pmpaddr4 = 0x3000 pmp4cfg = TOR
Execution:
1. write 0x40ff to pmpaddr3
2. write 0x32ff to pmpaddr4
3. set pmp3cfg to NAPOT with a read-modify-write on pmpcfg0
4. set pmp4cfg to NAPOT with a read-modify-write on pmpcfg1
When (2) is emulated, a call to pmp_update_rule() creates a negative
range for pmp4 as pmp4cfg is still set to TOR. And when (3) is emulated,
a call to tlb_flush() is performed, causing pmp_get_tlb_size() to return
a very creatively large TLB size for pmp4. This, in turn, may result in
accesses to non-existent/unitialized memory regions and a fault, so that
(4) ends up never being executed.
This is in m-mode with MPRV unset, meaning that unlocked PMP entries
should have no effect. Therefore such a behavior based on PMP content
is very unexpected.
Make sure no negative PMP range can be created, whether explicitly by
the emulated code or implicitly like the above.
Signed-off-by: Nicolas Pitre <nico@fluxnic.net>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <3oq0sqs1-67o0-145-5n1s-453o118804q@syhkavp.arg>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
target/riscv/pmp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/target/riscv/pmp.c b/target/riscv/pmp.c
index 151da3fa08..ea2b67d947 100644
--- a/target/riscv/pmp.c
+++ b/target/riscv/pmp.c
@@ -167,6 +167,9 @@ void pmp_update_rule_addr(CPURISCVState *env, uint32_t pmp_index)
case PMP_AMATCH_TOR:
sa = prev_addr << 2; /* shift up from [xx:0] to [xx+2:2] */
ea = (this_addr << 2) - 1u;
+ if (sa > ea) {
+ sa = ea = 0u;
+ }
break;
case PMP_AMATCH_NA4:
--
2.36.1
next prev parent reply other threads:[~2022-07-03 0:22 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-03 0:12 [PULL v2 00/19] riscv-to-apply queue Alistair Francis
2022-07-03 0:12 ` [PULL v2 01/19] target/riscv: Remove condition guarding register zero for auipc and lui Alistair Francis
2022-07-03 0:12 ` [PULL v2 02/19] target/riscv: Set env->bins in gen_exception_illegal Alistair Francis
2022-07-03 0:12 ` [PULL v2 03/19] target/riscv: Remove generate_exception_mtval Alistair Francis
2022-07-03 0:12 ` [PULL v2 04/19] target/riscv: Minimize the calls to decode_save_opc Alistair Francis
2022-07-03 0:12 ` Alistair Francis [this message]
2022-07-03 0:12 ` [PULL v2 06/19] target/riscv: Fix PMU CSR predicate function Alistair Francis
2022-07-03 0:12 ` [PULL v2 07/19] target/riscv: Implement PMU CSR predicate function for S-mode Alistair Francis
2022-07-03 0:12 ` [PULL v2 08/19] target/riscv: pmu: Rename the counters extension to pmu Alistair Francis
2022-07-03 0:12 ` [PULL v2 09/19] target/riscv: pmu: Make number of counters configurable Alistair Francis
2022-07-03 0:12 ` [PULL v2 10/19] target/riscv: Implement mcountinhibit CSR Alistair Francis
2022-07-03 0:12 ` [PULL v2 11/19] target/riscv: Add support for hpmcounters/hpmevents Alistair Francis
2022-07-03 0:12 ` [PULL v2 12/19] target/riscv: Support mcycle/minstret write operation Alistair Francis
2022-07-03 0:12 ` [PULL v2 13/19] target/riscv: Fixup MSECCFG minimum priv check Alistair Francis
2022-07-03 0:12 ` [PULL v2 14/19] target/riscv: Ibex: Support priv version 1.11 Alistair Francis
2022-07-03 0:12 ` [PULL v2 15/19] target/riscv: Don't force update priv spec version to latest Alistair Francis
2022-07-03 0:12 ` [PULL v2 16/19] hw/riscv: boot: Reduce FDT address alignment constraints Alistair Francis
2022-07-03 0:12 ` [PULL v2 17/19] target/riscv: Set minumum priv spec version for mcountinhibit Alistair Francis
2022-07-03 0:12 ` [PULL v2 18/19] target/riscv: Remove CSRs that set/clear an IMSIC interrupt file bits Alistair Francis
2022-07-03 0:12 ` [PULL v2 19/19] target/riscv: Update default priority table for local interrupts Alistair Francis
2022-07-03 4:38 ` [PULL v2 00/19] riscv-to-apply queue Richard Henderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220703001234.439716-6-alistair.francis@opensource.wdc.com \
--to=alistair.francis@opensource.wdc.com \
--cc=alistair.francis@wdc.com \
--cc=alistair23@gmail.com \
--cc=nico@fluxnic.net \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.