From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>, qemu-stable@nongnu.org
Subject: [Qemu-devel] [PATCH 10/53] target-arm: Avoid buffer overrun on UNPREDICTABLE ldrd/strd
Date: Thu, 30 Jul 2015 06:32:25 -0500 [thread overview]
Message-ID: <1438255988-10418-11-git-send-email-mdroth@linux.vnet.ibm.com> (raw)
In-Reply-To: <1438255988-10418-1-git-send-email-mdroth@linux.vnet.ibm.com>
From: Peter Maydell <peter.maydell@linaro.org>
A LDRD or STRD where rd is not an even number is UNPREDICTABLE.
We were letting this fall through, which is OK unless rd is 15,
in which case we would attempt to do a load_reg or store_reg
to a nonexistent r16 for the second half of the double-word.
Catch the odd-numbered-rd cases and UNDEF them instead.
To do this we rearrange the structure of the code a little
so we can put the UNDEF catches at the top before we've
allocated TCG temporaries.
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1431348973-21315-1-git-send-email-peter.maydell@linaro.org
(cherry picked from commit 3960c336ad96c2183549c8bf32bbff93ecda7ea4)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
target-arm/translate.c | 56 ++++++++++++++++++++++++++++----------------------
1 file changed, 32 insertions(+), 24 deletions(-)
diff --git a/target-arm/translate.c b/target-arm/translate.c
index 9116529..f8f72be 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -8423,34 +8423,30 @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
}
} else {
int address_offset;
- int load;
+ bool load = insn & (1 << 20);
+ bool doubleword = false;
/* Misc load/store */
rn = (insn >> 16) & 0xf;
rd = (insn >> 12) & 0xf;
+
+ if (!load && (sh & 2)) {
+ /* doubleword */
+ ARCH(5TE);
+ if (rd & 1) {
+ /* UNPREDICTABLE; we choose to UNDEF */
+ goto illegal_op;
+ }
+ load = (sh & 1) == 0;
+ doubleword = true;
+ }
+
addr = load_reg(s, rn);
if (insn & (1 << 24))
gen_add_datah_offset(s, insn, 0, addr);
address_offset = 0;
- if (insn & (1 << 20)) {
- /* load */
- tmp = tcg_temp_new_i32();
- switch(sh) {
- case 1:
- gen_aa32_ld16u(tmp, addr, get_mem_index(s));
- break;
- case 2:
- gen_aa32_ld8s(tmp, addr, get_mem_index(s));
- break;
- default:
- case 3:
- gen_aa32_ld16s(tmp, addr, get_mem_index(s));
- break;
- }
- load = 1;
- } else if (sh & 2) {
- ARCH(5TE);
- /* doubleword */
- if (sh & 1) {
+
+ if (doubleword) {
+ if (!load) {
/* store */
tmp = load_reg(s, rd);
gen_aa32_st32(tmp, addr, get_mem_index(s));
@@ -8459,7 +8455,6 @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
tmp = load_reg(s, rd + 1);
gen_aa32_st32(tmp, addr, get_mem_index(s));
tcg_temp_free_i32(tmp);
- load = 0;
} else {
/* load */
tmp = tcg_temp_new_i32();
@@ -8469,15 +8464,28 @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
tmp = tcg_temp_new_i32();
gen_aa32_ld32u(tmp, addr, get_mem_index(s));
rd++;
- load = 1;
}
address_offset = -4;
+ } else if (load) {
+ /* load */
+ tmp = tcg_temp_new_i32();
+ switch (sh) {
+ case 1:
+ gen_aa32_ld16u(tmp, addr, get_mem_index(s));
+ break;
+ case 2:
+ gen_aa32_ld8s(tmp, addr, get_mem_index(s));
+ break;
+ default:
+ case 3:
+ gen_aa32_ld16s(tmp, addr, get_mem_index(s));
+ break;
+ }
} else {
/* store */
tmp = load_reg(s, rd);
gen_aa32_st16(tmp, addr, get_mem_index(s));
tcg_temp_free_i32(tmp);
- load = 0;
}
/* Perform base writeback before the loaded value to
ensure correct behavior with overlapping index registers.
--
1.9.1
next prev parent reply other threads:[~2015-07-30 11:34 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-30 11:32 [Qemu-devel] Patch Round-up for stable 2.3.1, freeze on 2015-08-06 Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 01/53] bt-sdp: fix broken uuids power-of-2 calculation Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 02/53] block/iscsi: do not forget to logout from target Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 03/53] Strip brackets from vnc host Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 04/53] nbd/trivial: fix type cast for ioctl Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 05/53] vmdk: Fix next_cluster_sector for compressed write Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 06/53] vmdk: Fix overflow if l1_size is 0x20000000 Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 07/53] qcow2: Flush pending discards before allocating cluster Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 08/53] usb: fix usb-net segfault Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 09/53] virtio-net: fix the upper bound when trying to delete queues Michael Roth
2015-07-30 11:32 ` Michael Roth [this message]
2015-07-30 11:32 ` [Qemu-devel] [PATCH 11/53] fdc: force the fifo access to be in bounds of the allocated buffer Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 12/53] Revert "block: Fix unaligned zero write" Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 13/53] block: Fix NULL deference for unaligned write if qiov is NULL Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 14/53] qemu-iotests: Test unaligned sub-block zero write Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 15/53] hw/acpi/aml-build: Fix memory leak Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 16/53] qga/commands-posix: Fix bug in guest-fstrim Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 17/53] kbd: add brazil kbd keys to qemu Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 18/53] kbd: add brazil kbd keys to x11 evdev map Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 19/53] qcow2: Set MIN_L2_CACHE_SIZE to 2 Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 20/53] iotests: qcow2 COW with minimal L2 cache size Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 21/53] vmdk: Fix index_in_cluster calculation in vmdk_co_get_block_status Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 22/53] vmdk: Use vmdk_find_index_in_cluster everywhere Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 23/53] sdl2: fix crash in handle_windowevent() when restoring the screen size Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 24/53] spice-display: fix segfault in qemu_spice_create_update Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 25/53] i8254: fix out-of-bounds memory access in pit_ioport_read() Michael Roth
2015-08-03 8:40 ` [Qemu-devel] 答复: " lidonglin
2015-08-03 11:46 ` Paolo Bonzini
2015-07-30 11:32 ` [Qemu-devel] [PATCH 26/53] hw/core: rebase sysbus_get_fw_dev_path() to g_strdup_printf() Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 27/53] vhost: correctly pass error to caller in vhost_dev_enable_notifiers() Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 28/53] virtio-ccw: complete handling of guest-initiated resets Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 29/53] block: Add bdrv_get_block_status_above Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 30/53] qmp: Add optional bool "unmap" to drive-mirror Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 31/53] mirror: Do zero write on target if sectors not allocated Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 32/53] block: Fix dirty bitmap in bdrv_co_discard Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 33/53] qemu-iotests: Make block job methods common Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 34/53] qemu-iotests: Add test case for mirror with unmap Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 35/53] iotests: Use event_wait in wait_ready Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 36/53] iotests: add QMP event waiting queue Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 37/53] block/nfs: limit maximum readahead size to 1MB Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 38/53] s390x/ipl: Fix boot if no bootindex was specified Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 39/53] spapr_vty: lookup should only return valid VTY objects Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 40/53] target-ppc: fix hugepage support when using memory-backend-file Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 41/53] Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 42/53] block: Initialize local_err in bdrv_append_temp_snapshot Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 43/53] mips/kvm: Fix Big endian 32-bit register access Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 44/53] mips/kvm: Sign extend registers written to KVM Michael Roth
2015-07-30 11:33 ` [Qemu-devel] [PATCH 45/53] vfio/pci: Fix RTL8168 NIC quirks Michael Roth
2015-07-30 11:33 ` [Qemu-devel] [PATCH 46/53] virtio-net: unbreak any layout Michael Roth
2015-07-30 11:33 ` [Qemu-devel] [PATCH 47/53] vfio/pci: Fix bootindex Michael Roth
2015-07-30 11:33 ` [Qemu-devel] [PATCH 48/53] scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158) Michael Roth
2015-07-30 11:33 ` [Qemu-devel] [PATCH 49/53] block: vpc - prevent overflow if max_table_entries >= 0x40000000 Michael Roth
2015-07-30 11:33 ` [Qemu-devel] [PATCH 50/53] block: qemu-iotests - add check for multiplication overflow in vpc Michael Roth
2015-07-30 11:33 ` [Qemu-devel] [PATCH 51/53] ide: Check array bounds before writing to io_buffer (CVE-2015-5154) Michael Roth
2015-07-30 11:33 ` [Qemu-devel] [PATCH 52/53] ide/atapi: Fix START STOP UNIT command completion Michael Roth
2015-07-30 11:33 ` [Qemu-devel] [PATCH 53/53] ide: Clear DRQ after handling all expected accesses Michael Roth
2015-08-04 17:41 ` [Qemu-devel] Patch Round-up for stable 2.3.1, freeze on 2015-08-06 Michael Roth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1438255988-10418-11-git-send-email-mdroth@linux.vnet.ibm.com \
--to=mdroth@linux.vnet.ibm.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).