From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] [PULL 11/28] target-arm: check that LSB <= MSB in BFI instruction
Date: Thu, 5 Feb 2015 14:02:50 +0000 [thread overview]
Message-ID: <1423144987-11425-12-git-send-email-peter.maydell@linaro.org> (raw)
In-Reply-To: <1423144987-11425-1-git-send-email-peter.maydell@linaro.org>
From: Kirill Batuzov <batuzovk@ispras.ru>
The documentation states that if LSB > MSB in BFI instruction behaviour
is unpredictable. Currently QEMU crashes because of assertion failure in
this case:
tcg/tcg-op.h:2061: tcg_gen_deposit_i32: Assertion `len <= 32' failed.
While assertion failure may meet the "unpredictable" definition this
behaviour is undesirable because it allows an unprivileged guest program
to crash the emulator with the OS and other programs.
This patch addresses the issue by throwing illegal instruction exception
if LSB > MSB. Only ARM decoder is affected because Thumb decoder already
has this check in place.
To reproduce issue run the following program
int main(void) {
asm volatile (".long 0x07c00c12" :: );
return 0;
}
compiled with
gcc -marm -static badop_arm.c -o badop_arm
Signed-off-by: Kirill Batuzov <batuzovk@ispras.ru>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
target-arm/translate.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/target-arm/translate.c b/target-arm/translate.c
index bdfcdf1..2c1c2a7 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -8739,6 +8739,10 @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
ARCH(6T2);
shift = (insn >> 7) & 0x1f;
i = (insn >> 16) & 0x1f;
+ if (i < shift) {
+ /* UNPREDICTABLE; we choose to UNDEF */
+ goto illegal_op;
+ }
i = i + 1 - shift;
if (rm == 15) {
tmp = tcg_temp_new_i32();
--
1.9.1
next prev parent reply other threads:[~2015-02-05 14:03 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-05 14:02 [Qemu-devel] [PULL 00/28] target-arm queue Peter Maydell
2015-02-05 14:02 ` [Qemu-devel] [PULL 01/28] target_arm: Remove memory region init from armv7m_init Peter Maydell
2015-02-05 14:02 ` [Qemu-devel] [PULL 02/28] target_arm: Parameterise the irq lines for armv7m_init Peter Maydell
2015-02-05 14:02 ` [Qemu-devel] [PULL 03/28] target-arm: Fix RVBAR_EL1 register encoding Peter Maydell
2015-02-05 14:02 ` [Qemu-devel] [PULL 04/28] target-arm: Add extended RVBAR support Peter Maydell
2015-02-05 14:02 ` [Qemu-devel] [PULL 05/28] target-arm: Change reset to highest available EL Peter Maydell
2015-02-05 14:02 ` [Qemu-devel] [PULL 06/28] target-arm: Add missing SP_ELx register definition Peter Maydell
2015-02-05 14:02 ` [Qemu-devel] [PULL 07/28] target-arm: Split NO_MIGRATE into ALIAS and NO_RAW Peter Maydell
2015-02-05 14:02 ` [Qemu-devel] [PULL 08/28] target-arm: Add checks that cpreg raw accesses are handled Peter Maydell
2015-02-05 14:02 ` [Qemu-devel] [PULL 09/28] Fix FMULX not squashing denormalized inputs when FZ is set Peter Maydell
2015-02-05 14:02 ` [Qemu-devel] [PULL 10/28] target-arm: Squash input denormals in FRECPS and FRSQRTS Peter Maydell
2015-02-05 14:02 ` Peter Maydell [this message]
2015-02-05 14:02 ` [Qemu-devel] [PULL 12/28] hw/arm/virt: explain device-to-transport mapping in create_virtio_devices() Peter Maydell
2015-02-05 14:02 ` [Qemu-devel] [PULL 13/28] cpu_ldst.h: Allow NB_MMU_MODES to be 7 Peter Maydell
2015-02-05 14:02 ` [Qemu-devel] [PULL 14/28] target-arm: Make arm_current_el() return sensible values for M profile Peter Maydell
2015-02-05 14:02 ` [Qemu-devel] [PULL 15/28] target-arm/translate-a64: Fix wrong mmu_idx usage for LDT/STT Peter Maydell
2015-02-05 14:02 ` [Qemu-devel] [PULL 16/28] target-arm: Define correct mmu_idx values and pass them in TB flags Peter Maydell
2015-02-05 14:02 ` [Qemu-devel] [PULL 17/28] target-arm: Use correct mmu_idx for unprivileged loads and stores Peter Maydell
2015-02-05 14:02 ` [Qemu-devel] [PULL 18/28] target-arm: Don't define any MMU_MODE*_SUFFIXes Peter Maydell
2015-02-05 14:02 ` [Qemu-devel] [PULL 19/28] target-arm: Split AArch64 cases out of ats_write() Peter Maydell
2015-02-05 14:02 ` [Qemu-devel] [PULL 20/28] target-arm: Pass mmu_idx to get_phys_addr() Peter Maydell
2015-02-05 14:03 ` [Qemu-devel] [PULL 21/28] target-arm: Use mmu_idx in get_phys_addr() Peter Maydell
2015-02-05 14:03 ` [Qemu-devel] [PULL 22/28] target-arm: Reindent ancient page-table-walk code Peter Maydell
2015-02-05 14:03 ` [Qemu-devel] [PULL 23/28] target-arm: Fix brace style in reindented code Peter Maydell
2015-02-05 14:03 ` [Qemu-devel] [PULL 24/28] disas/libvixl: Update to upstream VIXL 1.7 Peter Maydell
2015-02-05 14:03 ` [Qemu-devel] [PULL 25/28] disas/arm-a64.cc: Tell libvixl correct code addresses Peter Maydell
2015-02-05 14:03 ` [Qemu-devel] [PULL 26/28] target-arm: KVM64: Get and Sync up guest register state like kvm32 Peter Maydell
2015-02-05 14:03 ` [Qemu-devel] [PULL 27/28] target-arm: Guest cpu endianness determination for virtio KVM ARM/ARM64 Peter Maydell
2015-02-05 14:03 ` [Qemu-devel] [PULL 28/28] target-arm: fix for exponent comparison in recpe_f64 Peter Maydell
2015-02-05 15:21 ` [Qemu-devel] [PULL 00/28] target-arm queue Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1423144987-11425-12-git-send-email-peter.maydell@linaro.org \
--to=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).