From patchwork Tue Mar 20 13:41:14 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 132148 Delivered-To: patches@linaro.org Received: by 10.46.84.29 with SMTP id i29csp880480ljb; Tue, 20 Mar 2018 06:41:20 -0700 (PDT) X-Google-Smtp-Source: AG47ELv7j9zTID5XbSmZRg/fz/4IfLeO+qcG8pHB8Jf2zBnPjGs6eoXZ7JRtYgW9kFjJTGUO3b7l X-Received: by 10.223.142.164 with SMTP id q33mr12751306wrb.72.1521553280262; Tue, 20 Mar 2018 06:41:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521553280; cv=none; d=google.com; s=arc-20160816; b=BNNDbUQn4pLfUBtMOI/GYibvImKhQ0YD0DW8KlqcMOfDO3o2Db3ElrfpFPc29UFb6M DX71tYvNz3saDOJl8JNKF8aEsDtoDR3kiVK5cQ8RejfL3e3fQAAlqolCVDQkB9vW85pz 2P62xCJJ3B36yCkh447Fez55WFvpisB+ciu1v5yhsHoOaJel2vMGY3F3sUyAlfL3st8e 2C1zS5ysj/aAZTs8lP8apbYMw89T3t9jdkRb85RHUxBE/kSR2DiubnATAPvHS+dk4dlU l1fNozfz2rnU4qIFjt4Mnh6D2EHCroVNIku6XEZ7cVYAF0DrAocuvG0WEjdLAtDMlvyc KSWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=h03gLeAk29HQyplbx+UZ5O4iEAOgebznv2Fd3nAOsX4=; b=oA5UecAj/psjaIEGR5SIGjNcYixOf0xKHq08iXKDrsVHfLMoKOsD1sZcIMshcF789F A9Kp5R+zFVuAkYEP+VCo5ppRvymCqPrY9EbdL+3m+KQPepoPcNJU7KEjcHfHJ83X4IZu jm2I5gULVjX+wySgtAGRKq6lT7NYZ+2PY/iaC4KpFRdsARbA3BxLpNcJc/bfWyCVeAk8 YEMnuEqgxbmgVwc4hMt6S7SfmjwpUpouH2fYwg7qcYcgE/GaErEaKlTvkWLPsPnwHUHL dOwM0Rc67dZjszWAqBuiEGAS5GJhm8PQ63BmM+PY2vVPTHk41V4yR0DsUXWgBCZrpJyX FgvA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) smtp.mailfrom=pm215@archaic.org.uk; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by mx.google.com with ESMTPS id t20si1263042wmd.258.2018.03.20.06.41.20 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 20 Mar 2018 06:41:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) client-ip=2001:8b0:1d0::2; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) smtp.mailfrom=pm215@archaic.org.uk; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from pm215 by orth.archaic.org.uk with local (Exim 4.89) (envelope-from ) id 1eyHVv-00045u-Pi; Tue, 20 Mar 2018 13:41:19 +0000 From: Peter Maydell To: qemu-arm@nongnu.org, qemu-devel@nongnu.org Cc: patches@linaro.org Subject: [PATCH for-2.12 4/4] target/arm: Always set FAR to a known unknown value for debug exceptions Date: Tue, 20 Mar 2018 13:41:14 +0000 Message-Id: <20180320134114.30418-5-peter.maydell@linaro.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180320134114.30418-1-peter.maydell@linaro.org> References: <20180320134114.30418-1-peter.maydell@linaro.org> For debug exceptions due to breakpoints or the BKPT instruction which are taken to AArch32, the Fault Address Register is architecturally UNKNOWN. We were using that as license to simply not set env->exception.vaddress, but this isn't correct, because it will expose to the guest whatever old value was in that field when arm_cpu_do_interrupt_aarch32() writes it to the guest IFSR. That old value might be a FAR for a previous guest EL2 or secure exception, in which case we shouldn't show it to an EL1 or non-secure exception handler. It might also be a non-deterministic value, which is bad for record-and-replay. Clear env->exception.vaddress before taking breakpoint debug exceptions, to avoid this minor information leak. Signed-off-by: Peter Maydell --- target/arm/op_helper.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) -- 2.16.2 Reviewed-by: Philippe Mathieu-Daudé diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c index 8e1e521193..a266cc0116 100644 --- a/target/arm/op_helper.c +++ b/target/arm/op_helper.c @@ -490,6 +490,11 @@ void HELPER(exception_bkpt_insn)(CPUARMState *env, uint32_t syndrome) { /* FSR will only be used if the debug target EL is AArch32. */ env->exception.fsr = arm_debug_exception_fsr(env); + /* FAR is UNKNOWN: clear vaddress to avoid potentially exposing + * values to the guest that it shouldn't be able to see at its + * exception/security level. + */ + env->exception.vaddress = 0; raise_exception(env, EXCP_BKPT, syndrome, arm_debug_target_el(env)); } @@ -1353,7 +1358,11 @@ void arm_debug_excp_handler(CPUState *cs) } env->exception.fsr = arm_debug_exception_fsr(env); - /* FAR is UNKNOWN, so doesn't need setting */ + /* FAR is UNKNOWN: clear vaddress to avoid potentially exposing + * values to the guest that it shouldn't be able to see at its + * exception/security level. + */ + env->exception.vaddress = 0; raise_exception(env, EXCP_PREFETCH_ABORT, syn_breakpoint(same_el), arm_debug_target_el(env));