From 92b5817d923cc3aa17e49e21f6744875306f7a18 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Sun, 25 Mar 2018 16:38:12 -0400 Subject: [PATCH] target/arm: Always set FAR to a known unknown value for debug exceptions For debug exceptions due to breakpoints or the BKPT instruction which are taken to AArch32, the Fault Address Register is architecturally UNKNOWN. We were using that as license to simply not set env->exception.vaddress, but this isn't correct, because it will expose to the guest whatever old value was in that field when arm_cpu_do_interrupt_aarch32() writes it to the guest IFSR. That old value might be a FAR for a previous guest EL2 or secure exception, in which case we shouldn't show it to an EL1 or non-secure exception handler. It might also be a non-deterministic value, which is bad for record-and-replay. Clear env->exception.vaddress before taking breakpoint debug exceptions, to avoid this minor information leak. Backports commit 548f514cf89dd9ab39c0cb4c063097bccf141fdd from qemu --- qemu/target/arm/op_helper.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/qemu/target/arm/op_helper.c b/qemu/target/arm/op_helper.c index 51770dee..170e1b64 100644 --- a/qemu/target/arm/op_helper.c +++ b/qemu/target/arm/op_helper.c @@ -496,6 +496,11 @@ void HELPER(exception_bkpt_insn)(CPUARMState *env, uint32_t syndrome) { /* FSR will only be used if the debug target EL is AArch32. */ env->exception.fsr = arm_debug_exception_fsr(env); + /* FAR is UNKNOWN: clear vaddress to avoid potentially exposing + * values to the guest that it shouldn't be able to see at its + * exception/security level. + */ + env->exception.vaddress = 0; raise_exception(env, EXCP_BKPT, syndrome, arm_debug_target_el(env)); } @@ -1334,7 +1339,11 @@ void arm_debug_excp_handler(CPUState *cs) } env->exception.fsr = arm_debug_exception_fsr(env); - /* FAR is UNKNOWN, so doesn't need setting */ + /* FAR is UNKNOWN: clear vaddress to avoid potentially exposing + * values to the guest that it shouldn't be able to see at its + * exception/security level. + */ + env->exception.vaddress = 0; raise_exception(env, EXCP_PREFETCH_ABORT, syn_breakpoint(same_el), arm_debug_target_el(env));