QEMU

ARM bootloader does not set r0 to 0

Bug #1572329 reported by Sylvain on 2016-04-19

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	QEMU	Fix Released	Undecided	Unassigned

Bug Description

The link register is not properly set up in the ARM bootloader code, leading to the instruction which sets r0 to 0x00000000 to be skipped.

As a consequence, r0 may hold the value leaked from the board setup code.

For instance, if using arm_write_secure_board_setup_dummy_smc, r0 holds 0x00000031.

Attached is a patch to fix the issue.

Please include Sylvain Garrigues <email address hidden> in the commit log.

See original description

Revision history for this message

Sylvain (sylvain-m) wrote on 2016-04-20:

Fix ARM bootloader Edit (449 bytes, text/plain)

Sylvain (sylvain-m) on 2016-04-20

description:	updated
summary:	- ARM emulation: r0 != 0 on boot + ARM bootloader does not set r0 to 0

Revision history for this message

Peter Maydell (pmaydell) wrote on 2016-04-20: Re: [Qemu-devel] [Bug 1572329] [NEW] ARM emulation: r0 != 0 on boot

On 19 April 2016 at 23:34, Sylvain <email address hidden> wrote:
> # arm-softmmu/qemu-system-arm -M raspi2 -m 1024 -smp 4 -kernel
> kernel.bin -serial stdio -dtb rpi2.dtb
>
> My code shows r0 = 0x31 while it should be 0.

Hi. Thanks for this bug report and the patch. In order
for us to be able to use your patch, we'll need you to
provide a signed-off-by line, which tells us you have
the legal right to submit it and are happy for us to
include it in QEMU under QEMU's licensing terms.
(You can look at
http://wiki.qemu.org/Contribute/SubmitAPatch#Patch_emails_must_include_a_Signed-off-by:_line
if you want more details.)

You can provide a signoff just by replying to this email
with a line which reads
"Signed-off-by: Your Name <your.email@here>".

A couple of notes: this bug only affects boards which
have a write_board_setup function, which means only
highbank/midway, raspi2, and xilinx_zynq; that's probably
why we didn't spot it earlier.

thanks
-- PMM

Revision history for this message

Sylvain (sylvain-m) wrote on 2016-04-20:

Signed-off-by: Sylvain Garrigues <email address hidden>

Fix link register patch follows:

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index 5975fbf..5876945 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -68,7 +68,7 @@ static const ARMInsnFixup bootloader_aarch64[] = {
*/

static const ARMInsnFixup bootloader[] = {
- { 0xe28fe008 }, /* add lr, pc, #8 */
+ { 0xe28fe004 }, /* add lr, pc, #4 */
{ 0xe51ff004 }, /* ldr pc, [pc, #-4] */
{ 0, FIXUP_BOARD_SETUP },
#define BOOTLOADER_NO_BOARD_SETUP_OFFSET 3

> Le 20 avr. 2016 à 16:21, Peter Maydell <email address hidden> a écrit :
>
> On 19 April 2016 at 23:34, Sylvain <email address hidden> wrote:
>> # arm-softmmu/qemu-system-arm -M raspi2 -m 1024 -smp 4 -kernel
>> kernel.bin -serial stdio -dtb rpi2.dtb
>>
>> My code shows r0 = 0x31 while it should be 0.
>
> Hi. Thanks for this bug report and the patch. In order
> for us to be able to use your patch, we'll need you to
> provide a signed-off-by line, which tells us you have
> the legal right to submit it and are happy for us to
> include it in QEMU under QEMU's licensing terms.
> (You can look at
> http://wiki.qemu.org/Contribute/SubmitAPatch#Patch_emails_must_include_a_Signed-off-by:_line
> if you want more details.)
>
> You can provide a signoff just by replying to this email
> with a line which reads
> "Signed-off-by: Your Name <your.email@here>".
>
> A couple of notes: this bug only affects boards which
> have a write_board_setup function, which means only
> highbank/midway, raspi2, and xilinx_zynq; that's probably
> why we didn't spot it earlier.
>
> thanks
> -- PMM