The bug being resolved is that the current code in mmu_lookup() assumes a valid 64-bit address space. If a guest has a 32-bit address space, a page translation that crosses beyond the last page in the address space will overflow out of the allocated guest virtual memory space in the QEMU application and cause it to crash. In this case the first page will be the last of the 32-bit address space (for example 0xFFFFF000 for 4K page sizes) and the second page will overflow to a page beyond the 32-bit address space (0x100000000 in the very same example). An invalid translation will be added to the cpu translation table from the second page. Thought the translation will be for page address 0x100000000, checks in other parts of the codebase actually enforce using only 32 bits, and will match this translation. Part of the stored translation is the effective address, and another part is the addend to be used to offset into the QEMU process's virtual memory space. The addend will incorporate the 0x100000000 and offset into likely invalid virtual address space.
The fix in the diff checks if the target is 32 bits and wraps the second page address to the beginning of the memory space. Along with this we have submitted a test to show this using Pegasos2 Singed off by: Percival Engineering <f...@percivalemg.com> f...@percivaleng.com (2): Fix: TCG cross-page overflow for 32 bit guest Added TCG cross-page overflow test accel/tcg/cputlb.c | 7 +++ tests/functional/meson.build | 1 + tests/functional/test_ppc_pegasos2.py | 69 +++++++++++++++++++++++++++ 3 files changed, 77 insertions(+) create mode 100755 tests/functional/test_ppc_pegasos2.py -- 2.45.3
