From patchwork Tue Feb 24 21:48:11 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Roth <mdroth@linux.vnet.ibm.com>
X-Patchwork-Id: 44998
Return-Path: <patchwork-forward+bncBCX5ZQEZUQNBBRXKWOTQKGQERE6C7PQ@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-lb0-f197.google.com (mail-lb0-f197.google.com
 [209.85.217.197])
 by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 4BC042029F
 for <linaro@patches.linaro.org>; Tue, 24 Feb 2015 22:03:51 +0000 (UTC)
Received: by lbvp9 with SMTP id p9sf19261242lbv.1
 for <linaro@patches.linaro.org>; Tue, 24 Feb 2015 14:03:50 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:delivered-to:from:to:date
 :message-id:in-reply-to:references:cc:subject:precedence:list-id
 :list-unsubscribe:list-archive:list-post:list-help:list-subscribe
 :errors-to:sender:x-original-sender
 :x-original-authentication-results:mailing-list;
 bh=MhT1sQdxisZK2FSH50k8yoYLIF/zE+EprGdkNDiCrpQ=;
 b=eZxONVx4WvVhvRvNrJvdOl2MTE5p1/oMeRmlMYS/V/qQiQLBWkZKbkZh49PhSnE28u
 93kMAMaS5/yeBwOdM8a/f1hqBGkuD1kAXNbDxktIdpHmkFav/UpJ8eNUtP4aCG2JavkZ
 PoiaqGFOlISakHcAJ6KHwHq+1fzFi22SKB2JFSKXI3pcDhQ4unkZoxuilq5UuhgdrOEf
 qHhSBoToMrL/xmbblD8YUtPqiDgKv+WSpQnJcJp5+JXKqGGXw0bj7PfejCwPPseIdNan
 /CADNxz7XbBhGA/k8cA7dXOMV+p0Onumim6Ju9VSiX0+P1WMYikQAeO27nKREFdIOBji
 k0xw==
X-Gm-Message-State: ALoCoQkunUosYdvUCQdCfkjK0YZo9s6sRB5GMPBJuFmQ13QaUNElavsH5FSqpAl4Zq6JCbuw+2XG
X-Received: by 10.180.87.166 with SMTP id az6mr2414459wib.1.1424815430222;
 Tue, 24 Feb 2015 14:03:50 -0800 (PST)
MIME-Version: 1.0
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.152.9.6 with SMTP id v6ls730572laa.13.gmail; Tue, 24 Feb 2015
 14:03:50 -0800 (PST)
X-Received: by 10.152.36.138 with SMTP id q10mr5529611laj.113.1424815430009; 
 Tue, 24 Feb 2015 14:03:50 -0800 (PST)
Received: from mail-la0-f50.google.com (mail-la0-f50.google.com.
 [209.85.215.50])
 by mx.google.com with ESMTPS id f9si8689644lam.60.2015.02.24.14.03.49
 for <patchwork-forward@linaro.org>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Tue, 24 Feb 2015 14:03:50 -0800 (PST)
Received-SPF: pass (google.com: domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.215.50 as permitted sender) client-ip=209.85.215.50; 
Received: by lamq1 with SMTP id q1so28932734lam.5
 for <patchwork-forward@linaro.org>;
 Tue, 24 Feb 2015 14:03:49 -0800 (PST)
X-Received: by 10.112.162.167 with SMTP id yb7mr70918lbb.76.1424815429918;
 Tue, 24 Feb 2015 14:03:49 -0800 (PST)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patch@linaro.org
Received: by 10.112.35.133 with SMTP id h5csp2203509lbj;
 Tue, 24 Feb 2015 14:03:49 -0800 (PST)
X-Received: by 10.140.104.207 with SMTP id a73mr91586qgf.13.1424815428296;
 Tue, 24 Feb 2015 14:03:48 -0800 (PST)
Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11])
 by mx.google.com with ESMTPS id u1si5411128qai.90.2015.02.24.14.03.47
 for <patch@linaro.org> (version=TLSv1 cipher=RC4-SHA bits=128/128);
 Tue, 24 Feb 2015 14:03:48 -0800 (PST)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates
 2001:4830:134:3::11 as permitted sender)
 client-ip=2001:4830:134:3::11; 
Received: from localhost ([::1]:51717 helo=lists.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <qemu-devel-bounces+patch=linaro.org@nongnu.org>)
 id 1YQNZz-0002Fk-6m
 for patch@linaro.org; Tue, 24 Feb 2015 17:03:47 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:49119)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <mdroth@linux.vnet.ibm.com>) id 1YQNQv-0000mc-W3
 for qemu-devel@nongnu.org; Tue, 24 Feb 2015 16:54:30 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <mdroth@linux.vnet.ibm.com>) id 1YQNQl-0007ia-6p
 for qemu-devel@nongnu.org; Tue, 24 Feb 2015 16:54:25 -0500
Received: from e33.co.us.ibm.com ([32.97.110.151]:41041)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <mdroth@linux.vnet.ibm.com>) id 1YQNQk-0007iM-Nj
 for qemu-devel@nongnu.org; Tue, 24 Feb 2015 16:54:14 -0500
Received: from /spool/local
 by e33.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
 Only! Violators will be prosecuted
 for <qemu-devel@nongnu.org> from <mdroth@linux.vnet.ibm.com>;
 Tue, 24 Feb 2015 14:54:14 -0700
Received: from d03dlp02.boulder.ibm.com (9.17.202.178)
 by e33.co.us.ibm.com (192.168.1.133) with IBM ESMTP SMTP Gateway:
 Authorized Use Only! Violators will be prosecuted; 
 Tue, 24 Feb 2015 14:54:12 -0700
Received: from b03cxnp08025.gho.boulder.ibm.com
 (b03cxnp08025.gho.boulder.ibm.com [9.17.130.17])
 by d03dlp02.boulder.ibm.com (Postfix) with ESMTP id 060073E4003B;
 Tue, 24 Feb 2015 14:54:12 -0700 (MST)
Received: from d03av05.boulder.ibm.com (d03av05.boulder.ibm.com [9.17.195.85])
 by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with
 ESMTP id t1OLs9ta34603160; Tue, 24 Feb 2015 14:54:09 -0700
Received: from d03av05.boulder.ibm.com (localhost [127.0.0.1])
 by d03av05.boulder.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP
 id t1OLsBUv029587; Tue, 24 Feb 2015 14:54:11 -0700
Received: from localhost (morrigu.austin.ibm.com [9.41.105.45])
 by d03av05.boulder.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP
 id t1OLsBKO029570; Tue, 24 Feb 2015 14:54:11 -0700
From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Date: Tue, 24 Feb 2015 15:48:11 -0600
Message-Id: <1424814498-6993-37-git-send-email-mdroth@linux.vnet.ibm.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1424814498-6993-1-git-send-email-mdroth@linux.vnet.ibm.com>
References: <1424814498-6993-1-git-send-email-mdroth@linux.vnet.ibm.com>
X-TM-AS-MML: disable
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 15022421-0009-0000-0000-00000909E613
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 32.97.110.151
Cc: Peter Maydell <peter.maydell@linaro.org>, qemu-stable@nongnu.org
Subject: [Qemu-devel] [PATCH 36/43] target-arm/translate-a64: Fix wrong
 mmu_idx usage for LDT/STT
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: <patchwork-forward.linaro.org>
List-Unsubscribe: <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>, 
 <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: mdroth@linux.vnet.ibm.com
X-Original-Authentication-Results: mx.google.com; spf=pass (google.com:
 domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.215.50 as permitted sender)
 smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
X-Google-Group-Id: 836684582541

From: Peter Maydell <peter.maydell@linaro.org>

The LDT/STT (load/store unprivileged) instruction decode was using
the wrong MMU index value. This meant that instead of these insns
being "always access as if user-mode regardless of current privilege"
they were "always access as if kernel-mode regardless of current
privilege". This went unnoticed because AArch64 Linux doesn't use
these instructions.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Greg Bellows <greg.bellows@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
---
I'm not counting this as a security issue because I'm assuming
nobody treats TCG guests as a security boundary (certainly I
would not recommend doing so...)

(cherry picked from commit 949013ce111eb64f8bc81cf9a9f1cefd6a1678c3)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-arm/translate-a64.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target-arm/translate-a64.c b/target-arm/translate-a64.c
index 80d2c07..97206aa 100644
--- a/target-arm/translate-a64.c
+++ b/target-arm/translate-a64.c
@@ -2107,7 +2107,7 @@ static void disas_ldst_reg_imm9(DisasContext *s, uint32_t insn)
         }
     } else {
         TCGv_i64 tcg_rt = cpu_reg(s, rt);
-        int memidx = is_unpriv ? 1 : get_mem_index(s);
+        int memidx = is_unpriv ? MMU_USER_IDX : get_mem_index(s);
 
         if (is_store) {
             do_gpr_st_memidx(s, tcg_rt, tcg_addr, size, memidx);