qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v4 19/22] target/arm: Create tagged ram when MTE

From: Peter Maydell
Subject: Re: [Qemu-devel] [PATCH v4 19/22] target/arm: Create tagged ram when MTE is enabled
Date: Mon, 22 Jul 2019 17:03:11 +0100 
On Thu, 7 Mar 2019 at 17:05, Richard Henderson
<address@hidden> wrote:
>
> Signed-off-by: Richard Henderson <address@hidden>
> ---

> @@ -1182,16 +1194,19 @@ static void arm_cpu_realizefn(DeviceState *dev, Error 
> **errp)
>      init_cpreg_list(cpu);
>
>  #ifndef CONFIG_USER_ONLY
> +    cs->num_ases = 1;
>      if (cpu->has_el3 || arm_feature(env, ARM_FEATURE_M_SECURITY)) {
>          cs->num_ases = 2;
> -
>          if (!cpu->secure_memory) {
>              cpu->secure_memory = cs->memory;
>          }
>          cpu_address_space_init(cs, ARMASIdx_S, "cpu-secure-memory",
>                                 cpu->secure_memory);
> -    } else {
> -        cs->num_ases = 1;
> +    }
> +    if (cpu->tag_memory != NULL) {
> +        cs->num_ases = 3;
> +        cpu_address_space_init(cs, ARMASIdx_TAG, "cpu-tag-memory",
> +                               cpu->tag_memory);
>      }
>      cpu_address_space_init(cs, ARMASIdx_NS, "cpu-memory", cs->memory);

This code will result in an array overrun in cpu_address_space_init(),
because that function allocates the cpu->cpu_ases array the first
time it is called, using the value of cpu->num_ases at that point.
So if  we call it for "cpu-secure-memory" when cpu->num_ases is 2,
the later call for "cpu-tag-memory" won't reallocate the array to
have size 3, it will just index off the end of it.

You should be able to see this with valgrind for the case of
the 'virt' board with EL3 enabled:

 valgrind ./build/x86/aarch64-softmmu/qemu-system-aarch64 -cpu max -M
virt,secure=on

==16861== Invalid write of size 8
==16861==    at 0x4120FA: cpu_address_space_init (exec.c:906)
==16861==    by 0x636F80: arm_cpu_realizefn (cpu.c:1617)
==16861==    by 0x80B920: device_set_realized (qdev.c:834)
==16861==    by 0xA9A94B: property_set_bool (object.c:2076)
==16861==    by 0xA98BC7: object_property_set (object.c:1268)
==16861==    by 0xA9BC8D: object_property_set_qobject (qom-qobject.c:26)
==16861==    by 0xA98EAC: object_property_set_bool (object.c:1334)
==16861==    by 0x5A0D0F: machvirt_init (virt.c:1677)
==16861==    by 0x81544B: machine_run_board_init (machine.c:1148)
==16861==    by 0x767B7E: main (vl.c:4348)
==16861==  Address 0x2c257720 is 0 bytes after a block of size 384 alloc'd
==16861==    at 0x4C31B25: calloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16861==    by 0x6100B10: g_malloc0 (in
/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.5600.4)
==16861==    by 0x4120BE: cpu_address_space_init (exec.c:902)
==16861==    by 0x636F30: arm_cpu_realizefn (cpu.c:1612)
==16861==    by 0x80B920: device_set_realized (qdev.c:834)
==16861==    by 0xA9A94B: property_set_bool (object.c:2076)
==16861==    by 0xA98BC7: object_property_set (object.c:1268)
==16861==    by 0xA9BC8D: object_property_set_qobject (qom-qobject.c:26)
==16861==    by 0xA98EAC: object_property_set_bool (object.c:1334)
==16861==    by 0x5A0D0F: machvirt_init (virt.c:1677)
==16861==    by 0x81544B: machine_run_board_init (machine.c:1148)
==16861==    by 0x767B7E: main (vl.c:4348)


thanks
-- PMM
reply via email to
[Prev in Thread] Current Thread [Next in Thread]