diff mbox series

[09/64] target/xtensa: fix access ring in l32ex

Message ID	20211019140944.152419-10-michael.roth@amd.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=wZCd=PH=nongnu.org=qemu-devel-bounces+qemu-devel=archiver.kernel.org@kernel.org> DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 8CE1661029 Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; From: Michael Roth <michael.roth@amd.com> To: <qemu-devel@nongnu.org> CC: <qemu-stable@nongnu.org>, Max Filippov <jcmvbkbc@gmail.com>, =?utf-8?q?P?= =?utf-8?q?hilippe_Mathieu-Daud=C3=A9?= <f4bug@amsat.org> Subject: [PATCH 09/64] target/xtensa: fix access ring in l32ex Date: Tue, 19 Oct 2021 09:08:49 -0500 Message-ID: <20211019140944.152419-10-michael.roth@amd.com> In-Reply-To: <20211019140944.152419-1-michael.roth@amd.com> References: <20211019140944.152419-1-michael.roth@amd.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Received-SPF: softfail client-ip=40.107.220.73; envelope-from=Michael.Roth@amd.com; helo=NAM11-CO1-obe.outbound.protection.outlook.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action Precedence: list Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>
Series	Patch Round-up for stable 6.0.1, freeze on 2021-10-26 \| expand [00/64] Patch Round-up for stable 6.0.1, freeze on 2021-10-26 [01/64] multi-process: Initialize variables declared with g_auto* [02/64] linux-user/aarch64: Enable hwcap for RND, BTI, and MTE [03/64] docs/system: Document the removal of "compat" property for POWER CPUs [04/64] monitor/qmp: fix race on CHR_EVENT_CLOSED without OOB [05/64] migration/rdma: Fix cm_event used before being initialized [06/64] target/i386: Exit tb after wrmsr [07/64] target/ppc: Fix load endianness for lxvwsx/lxvdsx [08/64] vl: allow not specifying size in -m when using -M memory-backend [09/64] target/xtensa: fix access ring in l32ex [10/64] qemu-option: support accept-any QemuOptsList in qemu_opts_absorb_qdict [11/64] qemu-config: load modules when instantiating option groups [12/64] qemu-config: parse configuration files to a QDict [13/64] vl: plumb keyval-based options into -readconfig [14/64] vl: plug -object back into -readconfig [15/64] sockets: update SOCKET_ADDRESS_TYPE_FD listen(2) backlog [16/64] hmp: Fix loadvm to resume the VM on success instead of failure [17/64] configure: fix detection of gdbus-codegen [18/64] vhost-vdpa: don't initialize backend_features [19/64] esp: only assert INTR_DC interrupt flag if selection fails [20/64] esp: only set ESP_RSEQ at the start of the select sequence [21/64] runstate: Initialize Error * to NULL [22/64] vfio: Fix unregister SaveVMHandler in vfio_migration_finalize [23/64] vl: Fix an assert failure in error path [24/64] tcg/sparc: Fix temp_allocate_frame vs sparc stack bias [25/64] tcg: Allocate sufficient storage in temp_allocate_frame [26/64] hw/pci-host/q35: Ignore write of reserved PCIEXBAR LENGTH field [27/64] block/nvme: Fix VFIO_MAP_DMA failed: No space left on device [28/64] crypto/tlscreds: Introduce qcrypto_tls_creds_check_endpoint() helper [29/64] block/nbd: Use qcrypto_tls_creds_check_endpoint() [30/64] qemu-nbd: Use qcrypto_tls_creds_check_endpoint() [31/64] chardev/socket: Use qcrypto_tls_creds_check_endpoint() [32/64] migration/tls: Use qcrypto_tls_creds_check_endpoint() [33/64] ui/vnc: Use qcrypto_tls_creds_check_endpoint() [34/64] crypto: Make QCryptoTLSCreds* structures private [35/64] yank: Unregister function when using TLS migration [36/64] tests: acpi: prepare for changing DSDT tables [37/64] acpi: pc: revert back to v5.2 PCI slot enumeration [38/64] tests: acpi: pc: update expected DSDT blobs [39/64] hw/block/nvme: align with existing style [40/64] hw/nvme: fix missing check for PMR capability [41/64] hw/nvme: fix pin-based interrupt behavior (again) [42/64] virtio-balloon: don't start free page hinting if postcopy is possible [43/64] hw/net/can: sja1000 fix buff2frame_bas and buff2frame_pel when dlc is out of std CAN 8 bytes [44/64] hw/sd/sdcard: Document out-of-range addresses for SEND_WRITE_PROT [45/64] hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30 [46/64] audio: Never send migration section [47/64] target/arm: Don't skip M-profile reset entirely in user mode [48/64] virtio-net: fix use after unmap/free for sg [49/64] qemu-nbd: Change default cache mode to writeback [50/64] hmp: Unbreak "change vnc" [51/64] virtio-mem-pci: Fix memory leak when creating MEMORY_DEVICE_SIZE_CHANGE event [52/64] uas: add stream number sanity checks. [53/64] usb/redir: avoid dynamic stack allocation (CVE-2021-3527) [54/64] usb: limit combined packets to 1 MiB (CVE-2021-3527) [55/64] vhost-user-gpu: fix memory disclosure in virgl_cmd_get_capset_info (CVE-2021-3545) [56/64] vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544) [57/64] vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544) [58/64] vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544) [59/64] vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' (CVE-2021-3544) [60/64] vhost-user-gpu: fix memory leak in 'virgl_resource_attach_backing' (CVE-2021-3544) [61/64] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' (CVE-2021-3546) [62/64] hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) [63/64] pvrdma: Ensure correct input on ring init (CVE-2021-3607) [64/64] pvrdma: Fix the ring init error flow (CVE-2021-3608)

Commit Message

Michael Roth Oct. 19, 2021, 2:08 p.m. UTC

From: Max Filippov <jcmvbkbc@gmail.com>

l32ex does memory access as all regular load/store operations at CRING
level. Fix apparent pasto from l32e that caused it to use RING instead.

This is a correctness issue, not a security issue, because in the worst
case the privilege level of memory access may be lowered, resulting in
an exception when the correct implementation would've succeeded.
In no case it would allow memory access that would've raised an
exception in the correct implementation.

Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
(cherry picked from commit 735aa900e4bf57b777ac620bed7c88234ec4b601)
Signed-off-by: Michael Roth <michael.roth@amd.com>
---
 target/xtensa/translate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff mbox series

Patch

diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c
index 0ae4efc48a..1678b65607 100644
--- a/target/xtensa/translate.c
+++ b/target/xtensa/translate.c
@@ -1817,7 +1817,7 @@  static void translate_l32ex(DisasContext *dc, const OpcodeArg arg[],
     tcg_gen_mov_i32(addr, arg[1].in);
     gen_load_store_alignment(dc, 2, addr, true);
     gen_check_exclusive(dc, addr, false);
-    tcg_gen_qemu_ld_i32(arg[0].out, addr, dc->ring, MO_TEUL);
+    tcg_gen_qemu_ld_i32(arg[0].out, addr, dc->cring, MO_TEUL);
     tcg_gen_mov_i32(cpu_exclusive_addr, addr);
     tcg_gen_mov_i32(cpu_exclusive_val, arg[0].out);
     tcg_temp_free(addr);