On Tue, Jan 20, 2015 at 7:58 AM, Peter Maydell <peter.mayd...@linaro.org>
wrote:
> The LDT/STT (load/store unprivileged) instruction decode was using
> the wrong MMU index value. This meant that instead of these insns
> being "always access as if user-mode regardless of current privilege"
> they were "always access as if kernel-mode regardless of current
> privilege". This went unnoticed because AArch64 Linux doesn't use
> these instructions.
>
> Cc: qemu-sta...@nongnu.org
>
> Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
> ---
> I'm not counting this as a security issue because I'm assuming
> nobody treats TCG guests as a security boundary (certainly I
> would not recommend doing so...)
> ---
> target-arm/translate-a64.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/target-arm/translate-a64.c b/target-arm/translate-a64.c
> index 80d2359..dac2f63 100644
> --- a/target-arm/translate-a64.c
> +++ b/target-arm/translate-a64.c
> @@ -2107,7 +2107,7 @@ static void disas_ldst_reg_imm9(DisasContext *s,
> uint32_t insn)
> }
> } else {
> TCGv_i64 tcg_rt = cpu_reg(s, rt);
> - int memidx = is_unpriv ? 1 : get_mem_index(s);
> + int memidx = is_unpriv ? MMU_USER_IDX : get_mem_index(s);
>
> if (is_store) {
> do_gpr_st_memidx(s, tcg_rt, tcg_addr, size, memidx);
> --
> 1.9.1
>
>
>
Reviewed-by: Greg Bellows <greg.bell...@linaro.org>
