From patchwork Mon Mar 2 17:58:28 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Henderson X-Patchwork-Id: 184100 Delivered-To: patch@linaro.org Received: by 2002:a92:1f12:0:0:0:0:0 with SMTP id i18csp2684224ile; Mon, 2 Mar 2020 10:02:31 -0800 (PST) X-Google-Smtp-Source: ADFU+vsFZWNO2JKi1iW+tc3ANESYOTj1iu4TzUlGmHB8HYo1s1DWaMH+xVyqSUfrxD+awLo1VAnz X-Received: by 2002:ad4:4a69:: with SMTP id cn9mr589427qvb.218.1583172150226; Mon, 02 Mar 2020 10:02:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583172150; cv=none; d=google.com; s=arc-20160816; b=sYnP7ccoZ224IMAVQbtu/BPFyeJ0rBKhX8DcWTDt2jw7qmEN9EW2FoBSEXgsRa4mai b5capRGBR5ms84Xzd22g1oId4qAMT1K5r+nQXiNz4PrfS+XgryVgXnDW8Ol9FhE1W7RT 8RWaOPx88iIKjEoDCnalCHxSJxHC0ae/bAe+xp1Hv6LbQM+09ioKJiCWmA7x5HY1al8p Gw5lr1ohfhsavInRExbp/5afVkMf5L7ugj9bJ+5J5ZMSLCloj7JVX4/rm6YyXvpyXRaJ dnqg8GJuxwIY3wCf6qnWu6NKlxUvM75FOzrjSak9lCLN6zkjlVyT4mW8CL68SoK+zKzV h2Wg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:cc:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:to:from :dkim-signature; bh=dr35bRmDl5K2ZK/zV6tEHz3P5CK2kUhrH8hqSGr33Rw=; b=uDYw+qwzsSdHL/Crx7seVLe7hen4+i9z+gv2JKJpoT/ljDQa0KkbB7l6FADu9oFYoa 7QP+A+muaFwCABSQQRaKQf9tfyViWf23apc7mMZnHVBy3NplZIl/kdw+3oogPhjiknNR 5lVUmoTUqFe6cfAxPlM21hKmsinlaUnuj05JtvhsrceCxZGEnCBlPpws628Bdkaim8HF 8dcBZ2Z7/31GwKiMUwJQ1ogwf/rQ4oVUJeeQ2n8WNGambbEZoPSbFf0o+qz6DOlR21Kt GOwWNDgpHfgOh2Ytst5JWTbuN3nXwjgMFHOYapuXi27iSrhV6Ne03/kgWLTTIS7ttHsW ls9A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="ZJ0/OEYL"; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id p17si3340077qtu.318.2020.03.02.10.02.30 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 02 Mar 2020 10:02:30 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="ZJ0/OEYL"; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1]:36434 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1j8pOf-0005ND-P5 for patch@linaro.org; Mon, 02 Mar 2020 13:02:29 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:39197) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1j8pL1-0006nN-Lh for qemu-devel@nongnu.org; Mon, 02 Mar 2020 12:58:44 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1j8pL0-0007cJ-Kl for qemu-devel@nongnu.org; Mon, 02 Mar 2020 12:58:43 -0500 Received: from mail-pg1-x544.google.com ([2607:f8b0:4864:20::544]:37803) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1j8pL0-0007bv-Fb for qemu-devel@nongnu.org; Mon, 02 Mar 2020 12:58:42 -0500 Received: by mail-pg1-x544.google.com with SMTP id z12so184921pgl.4 for ; Mon, 02 Mar 2020 09:58:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=dr35bRmDl5K2ZK/zV6tEHz3P5CK2kUhrH8hqSGr33Rw=; b=ZJ0/OEYLqfjbDLH2HPXWjjFaocOmukBiVGnzk0V+U8OA7hE/kfZ68Gr/1lSpMROAFk pRJKWCQxNS2/QIjxSFwbS60hW2/8hgQVGzJ+HYitny4NgKJec0USwyK6z0jMVKPHmS0Y Sm5ao3zmmc12Nw9vumEe9JcG/wPKSFjiOiasKfYEiTdNoK9JBVX9/LdpttrrDM9B+nuF ZDDnG9rMyp4g3fkU6g20pbGSK4pl7siJ3vRDjPSeDFYkR7QTxtBEE1L6w5hwKW9MgCsF PQH9aerx8NzYc2WB9Gk0QWHs4oZv+oxICiBhKl+uG1/z9Tm6qbU+NvexHSw74WUWlayl doYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=dr35bRmDl5K2ZK/zV6tEHz3P5CK2kUhrH8hqSGr33Rw=; b=VAkjxsW8NpCO7A6ic5ahUjWWnpr2DiX5Me/jZ6SqBA2rQxTxD56U7AR5HY619AxT1L +DcdLGUC40M4HbrsjTPw6Wk5yzIVZJEb5Ic3+wcxVJyr/I7HT3KcUtnP4mQXEvsa1kQy tCKSpEmxwUGfu5wkH3PEAKbe5BsQLSYEh918hTPYJtQ9jUz+L/zBGnHcVBlD0YXdDJif q5s32u68d0gWaXbrLEvglMKHa+NurfeboUmvm5N7tgjuwae6wcy/oD3tQmCbG1C29a3E 3mDDFhX/8GRWjm2+RSlLlkjhUgUvH3IgWzHLi611bCEA+DuJmbS+iWv7rDpMua7zFS+x XvuA== X-Gm-Message-State: ANhLgQ3OTj73yOGS7qLVeSmLL5xKN+YI0sUHJvKOFCYXAkZj7Y9VYwl8 z20zN1D6sFwpmTaqLqjuA8e1g6JtQBQ= X-Received: by 2002:aa7:80d1:: with SMTP id a17mr209275pfn.143.1583171921259; Mon, 02 Mar 2020 09:58:41 -0800 (PST) Received: from localhost.localdomain (97-126-123-70.tukw.qwest.net. [97.126.123.70]) by smtp.gmail.com with ESMTPSA id s18sm99510pjp.24.2020.03.02.09.58.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Mar 2020 09:58:40 -0800 (PST) From: Richard Henderson To: qemu-devel@nongnu.org Subject: [PATCH v2 8/9] target/arm: Check addresses for disabled regimes Date: Mon, 2 Mar 2020 09:58:28 -0800 Message-Id: <20200302175829.2183-9-richard.henderson@linaro.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200302175829.2183-1-richard.henderson@linaro.org> References: <20200302175829.2183-1-richard.henderson@linaro.org> MIME-Version: 1.0 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4864:20::544 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: peter.maydell@linaro.org, qemu-arm@nongnu.org Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" We fail to validate the upper bits of a virtual address on a translation disabled regime, as per AArch64.TranslateAddressS1Off. Signed-off-by: Richard Henderson --- target/arm/helper.c | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) -- 2.20.1 diff --git a/target/arm/helper.c b/target/arm/helper.c index addbec91d8..0ef32d3c24 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -11634,7 +11634,38 @@ bool get_phys_addr(CPUARMState *env, target_ulong address, /* Definitely a real MMU, not an MPU */ if (regime_translation_disabled(env, mmu_idx)) { - /* MMU disabled. */ + /* + * MMU disabled. S1 addresses are still checked for bounds. + * C.f. AArch64.TranslateAddressS1Off. + */ + if (is_a64(env) && mmu_idx != ARMMMUIdx_Stage2) { + int pamax = arm_pamax(env_archcpu(env)); + uint64_t tcr = regime_tcr(env, mmu_idx)->raw_tcr; + int addrtop, tbi; + + tbi = aa64_va_parameter_tbi(tcr, mmu_idx); + if (access_type == MMU_INST_FETCH) { + tbi &= ~aa64_va_parameter_tbid(tcr, mmu_idx); + } + tbi = (tbi >> extract64(address, 55, 1)) & 1; + addrtop = (tbi ? 55 : 63); + + if (extract64(address, pamax, addrtop - pamax + 1) != 0) { + fi->type = ARMFault_AddressSize; + fi->level = 0; + fi->stage2 = false; + return 1; + } + + /* + * The ARM pseudocode copies bits [51:0] to addrdesc.paddress. + * Except for TBI, we've just validated everything above PAMax + * is zero. So we only need to drop TBI. + */ + if (tbi) { + address = extract64(address, 0, 56); + } + } *phys_ptr = address; *prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC; *page_size = TARGET_PAGE_SIZE;