From patchwork Fri Mar 23 18:49:58 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 132364 Delivered-To: patch@linaro.org Received: by 10.46.84.29 with SMTP id i29csp954352ljb; Fri, 23 Mar 2018 11:57:33 -0700 (PDT) X-Google-Smtp-Source: AG47ELsKh4KHw5VuA8DDd7xQ0104FbxgWBkCd0cQeEx13e+799chz0fgkRq2NnGYDHNOUYoKPdLU X-Received: by 10.55.217.145 with SMTP id q17mr43768728qkl.302.1521831453535; Fri, 23 Mar 2018 11:57:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521831453; cv=none; d=google.com; s=arc-20160816; b=gR7ccFGz46K4FQh3iKmtnPPAaQBYs2D4NuZtP2mtP4cuga/rOIHKRd9DSI8mcUaPDP 3+CklA1EiPnxxW9orZY2NpzLRXmcEi9rubTXKpaxswh7tVYsV7XlTW8TK1jBiNNlU6si nF6EDZpmal3sX1g6Q7KD7zIhWhhQaqv8DFeqzReEekqpCrh00McORfrvKH8Bb+jHvWJl 7pGJjX1iZ/EbXNEBU71ET3XCzWZojsmjvYBsewAeCNWjGabwQyv8rlOi7YrdriApMqps PnHjcvlYx6anEhAdY6lBc1qAe4/e9Y0kCQynhv6g6qtNLpU7hiowqRNxgqcabKfB0Vx3 vmuw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject :content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:to:from:arc-authentication-results; bh=NZpaYC8t7YT+KGCkoNB38GNF7wjnuvt6WfeGNUQ82+E=; b=AJ0UxZTx0PNu+c7oM8MibG1E9Irw26GZg/WLNyaS2WT0x4IwsdoeOyKXtKvf3HPIea u3o8qWTwDn+RJKpJwttIM6OLXNUKCzJTFXrjnbaGZ6ddKcCv18G9XhQcxkroAG834H/2 piwmvdHfZcrUmA/8dRg5ZTAfymsKddOD9xUzy3asgMKGXgeM4EuAfLRUKnCUFYKRBGeG ElgGMoXc26uJUClHFMLoHLvd3tz/USaq377sSpvx8oEqAL2m7VC7moKw7uasP+DlH2sq mM0fNRmPNxL0P5Fa7E0LdbI2uZOI5sM1xpyWDqFuOvLUNoKg/V3Wej1Abdo5tZB3eMXb zL6g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11]) by mx.google.com with ESMTPS id n23si6101826qtn.198.2018.03.23.11.57.33 for (version=TLS1 cipher=AES128-SHA bits=128/128); Fri, 23 Mar 2018 11:57:33 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom=qemu-devel-bounces+patch=linaro.org@nongnu.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1]:39401 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ezRsb-0006xP-1d for patch@linaro.org; Fri, 23 Mar 2018 14:57:33 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:49188) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ezRlR-00019P-C5 for qemu-devel@nongnu.org; Fri, 23 Mar 2018 14:50:10 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ezRlP-0004Hi-TD for qemu-devel@nongnu.org; Fri, 23 Mar 2018 14:50:09 -0400 Received: from orth.archaic.org.uk ([2001:8b0:1d0::2]:40514) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ezRlP-0004GT-M7 for qemu-devel@nongnu.org; Fri, 23 Mar 2018 14:50:07 -0400 Received: from pm215 by orth.archaic.org.uk with local (Exim 4.89) (envelope-from ) id 1ezRlO-0007ho-DG for qemu-devel@nongnu.org; Fri, 23 Mar 2018 18:50:06 +0000 From: Peter Maydell To: qemu-devel@nongnu.org Date: Fri, 23 Mar 2018 18:49:58 +0000 Message-Id: <20180323184958.14252-11-peter.maydell@linaro.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180323184958.14252-1-peter.maydell@linaro.org> References: <20180323184958.14252-1-peter.maydell@linaro.org> MIME-Version: 1.0 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2001:8b0:1d0::2 Subject: [Qemu-devel] [PULL 10/10] target/arm: Always set FAR to a known unknown value for debug exceptions X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" For debug exceptions due to breakpoints or the BKPT instruction which are taken to AArch32, the Fault Address Register is architecturally UNKNOWN. We were using that as license to simply not set env->exception.vaddress, but this isn't correct, because it will expose to the guest whatever old value was in that field when arm_cpu_do_interrupt_aarch32() writes it to the guest IFSR. That old value might be a FAR for a previous guest EL2 or secure exception, in which case we shouldn't show it to an EL1 or non-secure exception handler. It might also be a non-deterministic value, which is bad for record-and-replay. Clear env->exception.vaddress before taking breakpoint debug exceptions, to avoid this minor information leak. Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Message-id: 20180320134114.30418-5-peter.maydell@linaro.org --- target/arm/op_helper.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) -- 2.16.2 diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c index 8e1e521193..a266cc0116 100644 --- a/target/arm/op_helper.c +++ b/target/arm/op_helper.c @@ -490,6 +490,11 @@ void HELPER(exception_bkpt_insn)(CPUARMState *env, uint32_t syndrome) { /* FSR will only be used if the debug target EL is AArch32. */ env->exception.fsr = arm_debug_exception_fsr(env); + /* FAR is UNKNOWN: clear vaddress to avoid potentially exposing + * values to the guest that it shouldn't be able to see at its + * exception/security level. + */ + env->exception.vaddress = 0; raise_exception(env, EXCP_BKPT, syndrome, arm_debug_target_el(env)); } @@ -1353,7 +1358,11 @@ void arm_debug_excp_handler(CPUState *cs) } env->exception.fsr = arm_debug_exception_fsr(env); - /* FAR is UNKNOWN, so doesn't need setting */ + /* FAR is UNKNOWN: clear vaddress to avoid potentially exposing + * values to the guest that it shouldn't be able to see at its + * exception/security level. + */ + env->exception.vaddress = 0; raise_exception(env, EXCP_PREFETCH_ABORT, syn_breakpoint(same_el), arm_debug_target_el(env));