On Fri, 15 Dec 2023 at 12:05, Max Filippov <jcmvb...@gmail.com> wrote:
>
> r[id]tlb[01], [iw][id]tlb opcodes use TLB way index passed in a register
> by the guest. The host uses 3 bits of the index for ITLB indexing and 4
> bits for DTLB, but there's only 7 entries in the ITLB array and 10 in
> the DTLB array, so a malicious guest may trigger out-of-bound access to
> these arrays.
>
> Change split_tlb_entry_spec return type to bool to indicate whether TLB
> way passed to it is valid. Change get_tlb_entry to return NULL in case
> invalid TLB way is requested. Add assertion to xtensa_tlb_get_entry that
> requested TLB way and entry indices are valid. Add checks to the
> [rwi]tlb helpers that requested TLB way is valid and return 0 or do
> nothing when it's not.
>
> Cc: qemu-sta...@nongnu.org
> Fixes: b67ea0cd7441 ("target-xtensa: implement memory protection options")
> Signed-off-by: Max Filippov <jcmvb...@gmail.com>
> ---Reviewed-by: Peter Maydell <peter.mayd...@linaro.org> thanks -- PMM
